Rule: RDS DB Instances Prohibit Public Access
This rule ensures RDS DB instances do not allow public access to enhance security measures.
| Rule | RDS DB instances should prohibit public access |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
RDS DB instances should prohibit public access for NIST 800-53 Revision 5. This rule ensures that all RDS database instances are not accessible to the public. By implementing this measure, the organization can prevent unauthorized access to sensitive data stored in RDS DB instances, protecting the confidentiality and integrity of the information.
Troubleshooting Steps:
- 1.
Verify the Security Group configuration:
- Check if the inbound rules allow access from any IP addresses (0.0.0.0/0).
- Ensure that no rule allows access from any source IP or public IP ranges.
- 2.
Check the Subnet Group settings:
- Validate that the RDS DB instances are not assigned to a public subnet.
- Ensure that the DB instances are located within a private subnet.
- 3.
Verify the instance's parameter group configuration:
- Check if the
parameter is set topublicly_accessible
.false - Ensure that the DB instance does not have any other parameter allowing public access.
- 4.
Validate the Network Access Control Lists (NACLs) settings:
- Ensure that the inbound and outbound rules for the associated subnets do not permit public access.
Rule Remediation:
To remediate this rule, follow the step-by-step guide below:
- 1.
Identify the RDS DB instances that allow public access:
- List all existing RDS DB instances within your AWS infrastructure.
- 2.
Modify the security group associated with the problematic RDS DB instance(s):
- Access the AWS Management Console.
- Go to the EC2 service and navigate to the "Security Groups" section.
- Search for the security group associated with the problematic RDS DB instance(s).
- Edit the security group's inbound rules to restrict access by modifying the source IP or IP range allowed. Ideally, restrict it to specific IP addresses or CIDR blocks that require access.
- 3.
Move the RDS DB instance(s) to a private subnet:
- Go to the RDS service within the AWS Management Console.
- Select the RDS DB instance(s) that allow public access.
- Click "Modify" and choose the appropriate private subnet from the "Virtual Private Cloud (VPC) settings" options.
- Save the changes to move the RDS DB instance(s) to a private subnet.
- 4.
Update the instance's parameter group settings:
- Within the RDS service, click on the "Parameter Groups" tab.
- Select the appropriate parameter group associated with the RDS DB instance.
- Modify the
parameter and set it topublicly_accessible
.false - Save the changes to update the parameter group settings.
- 5.
Validate the Network Access Control Lists (NACLs):
- Go to the VPC service within the AWS Management Console.
- Navigate to the "Network ACLs" section.
- Identify the Network ACL associated with the subnets that contain the RDS DB instances.
- Ensure that the inbound and outbound rules do not permit public access.
- Modify the Network ACL rules if needed to restrict public access.
- 6.
Monitor and validate the changes:
- Regularly review the RDS DB instances to ensure public access is restricted.
- Monitor the associated security groups, parameter groups, and Network ACLs to detect any unauthorized changes.
Additional Notes:
- Ensure that proper access controls are in place, allowing only authorized individuals or applications to access the RDS DB instances.
- Consider enabling Multi-Factor Authentication (MFA) for AWS accounts, IAM roles, and database users to add an additional layer of security.
- Regularly update and patch the RDS DB instances to mitigate any potential security vulnerabilities.
- It is recommended to implement the principle of least privilege, granting only the necessary permissions to users and applications interacting with the RDS DB instances.