Rule: RDS DB Instances Should Prohibit Public Access
This rule ensures that RDS DB instances do not allow public access to enhance security measures.
| Rule | RDS DB instances should prohibit public access |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ High |
Rule Description
RDS (Amazon Relational Database Service) DB instances should be configured to prohibit public access in order to comply with the requirements of GxP (Good Practice for Pharmaceutical) 21 CFR (Code of Federal Regulations) Part 11. This ensures that the DB instances hosting sensitive data are not accessible to unauthorized entities over the public internet.
Troubleshooting Steps
If public access is detected for RDS DB instances hosting GxP data, perform the following steps to troubleshoot and enforce the required security configuration:
- 1.Identify the affected RDS DB instances by reviewing the database inventory or contacting the database administrators.
- 2.Confirm that the instances are indeed accessible from the public internet by checking the associated security groups and network configurations.
- 3.Verify if proper network ingress rules are in place and restrict access only to authorized IP ranges or specific security groups.
- 4.Check for any recent configuration changes that might have inadvertently allowed public access.
- 5.Review the associated routing tables, subnets, and network access control lists (ACLs) to ensure they are properly configured to prevent public access.
- 6.Double-check the DNS settings and ensure that publicly routable DNS names are not configured for the DB instances.
- 7.Validate the presence of proper authentication mechanisms such as username/password, or database credentials, to authenticate any remote connections to the DB instances.
Necessary Codes
Certain code snippets may be helpful in enforcing the required configuration:
- 1.Use the AWS Command Line Interface (CLI) to modify the security group rules associated with the RDS DB instances:
aws rds modify-db-instance \ --db-instance-identifier <db-instance-identifier> \ --vpc-security-group-ids <security-group-ids>
Replace
<db-instance-identifier><security-group-ids>- 1.To revoke public access, block inbound access from 0.0.0.0/0 (any IP address) by modifying the inbound security group rules:
aws ec2 revoke-security-group-ingress \ --group-id <security-group-id> \ --protocol tcp \ --port <port-number> \ --cidr 0.0.0.0/0
Replace
<security-group-id><port-number>Remediation Steps
Follow these step-by-step instructions to remediate the RDS DB instances and ensure public access is prohibited:
- 1.Login to the AWS Management Console.
- 2.Navigate to the Amazon RDS service.
- 3.Identify the RDS DB instances hosting GxP data that require public access prohibition.
- 4.For each identified DB instance, note down the relevant DB instance identifier.
- 5.Open the AWS CLI or an equivalent command-line tool with necessary AWS credentials.
- 6.Run the following command to modify the associated security group(s) for each DB instance:
aws rds modify-db-instance \ --db-instance-identifier <db-instance-identifier> \ --vpc-security-group-ids <security-group-ids>
Replace
<db-instance-identifier><security-group-ids>- 1.Execute the following command to revoke public access by modifying the inbound security group rules:
aws ec2 revoke-security-group-ingress \ --group-id <security-group-id> \ --protocol tcp \ --port <port-number> \ --cidr 0.0.0.0/0
Replace
<security-group-id><port-number>- 1.Repeat steps 6 and 7 for each affected RDS DB instance.
- 2.Validate the updated security group configuration to ensure public access is prohibited by verifying the inbound rules.
- 3.Conduct regular audits and checks to monitor and maintain the security posture of the RDS DB instances.
By following these steps, you will successfully configure RDS DB instances to prohibit public access, ensuring compliance with GxP 21 CFR Part 11 regulations.