Rule: RDS DB Instances Should Prohibit Public Access
This rule ensures that RDS DB instances do not allow public access, enhancing security measures.
| Rule | RDS DB instances should prohibit public access |
| Framework | HIPAA |
| Severity | ✔ High |
Rule Description
According to the HIPAA regulations, RDS DB instances storing sensitive healthcare data should not allow public access. This rule is put in place to ensure the confidentiality, integrity, and availability of protected health information (PHI) stored within the database.
Troubleshooting Steps
If public access is found to be enabled for an RDS DB instance that is subject to HIPAA compliance, the following troubleshooting steps can be taken to address the issue:
- 1.
Verify Security Group Rules: Check the security group associated with the RDS DB instance and confirm that there are no inbound rules allowing public access (e.g., 0.0.0.0/0 or ::/0).
- 2.
Review VPC Network ACLs: Ensure that the network Access Control Lists (ACLs) of the VPC in which the RDS DB instance resides do not permit unrestricted inbound access.
- 3.
Examine IAM Roles: Review the IAM roles associated with the DB instance and ensure that they do not grant public access permissions.
- 4.
Check Subnet Routing: Confirm that the subnet routes do not have a default route guiding traffic to an internet gateway. A default route of 0.0.0.0/0 or ::/0 would allow public access.
- 5.
Verify RDS Public Accessibility Setting: Ensure that the "Publicly Accessible" parameter for the RDS DB instance is set to "No" or unchecked.
- 6.
Audit Public IP Addresses: Review instances and applications connected to the RDS DB instance and verify that their public IP addresses, if any, are authorized and necessary.
Necessary Code
To address the issue of public access for an RDS DB instance in HIPAA compliance, no specific code is required. The necessary configuration changes can be made using the AWS Management Console or the AWS Command Line Interface (CLI).
Step-by-Step Guide for Remediation
Follow these steps to remediate and prohibit public access for an RDS DB instance that needs to adhere to HIPAA compliance:
- 1.
Step 1: Log in to the AWS Management Console.
- 2.
Step 2: Open the Amazon RDS service.
- 3.
Step 3: Select the appropriate region if it's not already selected.
- 4.
Step 4: Click on "Databases" in the left navigation pane.
- 5.
Step 5: Find and select the RDS DB instance that needs to prohibit public access.
- 6.
Step 6: Click on "Instance Actions" and choose "Modify" from the dropdown menu.
- 7.
Step 7: Scroll down to the "Network & Security" section.
- 8.
Step 8: Ensure that the "Publicly Accessible" checkbox is unchecked or set to "No."
- 9.
Step 9: Review and verify any other settings or configuration changes needed for the instance.
- 10.
Step 10: Click on "Modify DB Instance" to save the changes.
11: Step 11: Once the modification is complete, reevaluate the security group rules, network ACLs, IAM roles, subnet routes, and any other relevant settings to confirm that public access is fully restricted.
Following these steps will help in ensuring that the RDS DB instances adhere to the HIPAA guidelines by prohibiting public access.