Rule: RDS Snapshots Should Prohibit Public Access
This rule ensures that RDS snapshots do not allow public access, critical for data security.
| Rule | RDS snapshots should prohibit public access |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Critical |
Rule Description:
This rule ensures that snapshots of Amazon RDS (Relational Database Service) instances in the AWS (Amazon Web Services) environment comply with the requirements of GxP (Good Practices) as specified in 21 CFR Part 11 regulations. Specifically, it prohibits public access to RDS snapshots, which may contain sensitive and regulated data.
Troubleshooting Steps:
- 1.Check if the RDS snapshot has public access enabled.
- 2.Review the security group assigned to the RDS instance associated with the snapshot to ensure that inbound rules do not allow public access.
- 3.Verify the network ACL (Access Control List) associated with the RDS subnet to confirm that it does not permit traffic from unauthorized sources.
- 4.Ensure that the associated RDS instance and its associated resources (e.g., EC2 instances, Aurora clusters) are appropriately configured to prevent public access.
Necessary Codes:
(Note: These code examples assume the AWS Command Line Interface (CLI) is being used.)
To verify the public accessibility status of an RDS snapshot:
aws rds describe-db-snapshots --db-snapshot-identifier <snapshot-identifier>
To modify the public accessibility of an RDS snapshot to false:
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-identifier> --no-publicly-accessible
Remediation Steps:
(Note: These steps assume the AWS Management Console is being used.)
- 1.Log in to the AWS Management Console.
- 2.Open the Amazon RDS service.
- 3.Navigate to the "Snapshots" section.
- 4.Select the snapshot that needs to be remediated.
- 5.Verify the "Publicly Accessible" column for the snapshot to ensure it is set to "No."
- 6.If the snapshot is publicly accessible, click on the snapshot, then click the "Actions" dropdown button and choose "Modify Snapshot Attribute."
- 7.In the attribute modification form, uncheck the "Publicly Accessible" option.
- 8.Click "Apply Changes" or "Save Changes" to update the snapshot's attributes.
- 9.Monitor the modification progress in the notifications or event history.
- 10.Once the modification is complete, repeat the verification step to ensure the snapshot is no longer publicly accessible.
Additional Notes:
- It is recommended to review and update the associated AWS IAM (Identity and Access Management) roles and user permissions to ensure that only authorized individuals can modify the snapshot attributes.
- Regular audits and monitoring should be performed to detect and remediate any deviations from the desired configuration.
- Documentation and record-keeping should be maintained to demonstrate compliance with GxP regulations, including details of the snapshot configuration and any changes made.