Rule: RDS DB Instances Should Prohibit Public Access
This rule focuses on preventing public access to RDS DB instances for security purposes.
| Rule | RDS DB instances should prohibit public access |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
RDS Database Instances Public Access Prohibition for NIST Cybersecurity Framework (CSF) v1
Description
The NIST Cybersecurity Framework (CSF) v1 outlines a comprehensive set of guidelines and best practices for maintaining robust cybersecurity measures. One crucial aspect of ensuring the security of your AWS RDS (Relational Database Service) is to prohibit public access to your database instances. Publicly accessible RDS instances may pose a significant risk, allowing potential unauthorized access to sensitive data and exposing your systems to potential security breaches.
To adhere to the CSF v1 recommendations and enhance the security posture of your RDS database instances, it is necessary to enforce the prohibition of public access.
Troubleshooting
The following steps can be taken for troubleshooting the public access prohibition for RDS database instances:
- 1.
Verify the RDS instance settings:
- Check the security group associated with the RDS instance to ensure it doesn't allow public access.
- Ensure the inbound rules of the security group allow only the required IP ranges or subnets.
- 2.
Check network access settings:
- Verify that the RDS instance's VPC (Virtual Private Cloud) doesn't have any default routes or internet gateways attached.
- Ensure the subnets associated with the RDS instance don't have any direct internet connectivity.
- 3.
Utilize AWS Advisor:
- AWS provides the Advisor service, which can analyze your infrastructure configuration and provide recommendations on how to improve its security posture, including RDS instance access.
Remediation
To enforce the prohibition of public access to your RDS database instances for compliance with the NIST CSF v1, follow the step-by-step guide below:
- 1.
Identify publicly accessible RDS instances:
- Go to the Amazon RDS Console.
- Select the appropriate AWS Region.
- Navigate to the "Instances" section.
- 2.
Verify instance accessibility:
- For each RDS instance, check if it allows public access in the "Connectivity & Security" tab.
- If public accessibility is enabled, proceed to modify the settings.
- 3.
Modify security group rules:
- Navigate to the "VPC Security Groups" section in the "Connectivity & Security" tab for the selected RDS instance.
- Click on the security group associated with the RDS instance.
- 4.
Remove public access rules:
- In the security group settings, revise the inbound rules and remove any rules allowing access from public IP ranges.
- Ensure that only necessary IP ranges or subnets have access.
- 5.
Adjust network settings:
- Go to the "VPC" section in the AWS Management Console.
- Check the VPC and subnets associated with the RDS instance.
- Make sure that the VPC doesn't have any default routes or internet gateways.
- 6.
Ensure direct connectivity restrictions:
- For the subnets associated with the RDS instance, verify the route tables and confirm there are no direct internet connectivity options.
- 7.
Monitor and test:
- Regularly monitor the RDS instances for any unintended changes in security group rules or network configurations.
- Test the database connectivity from the intended sources to ensure it functions as expected without public access.
Additional Tips
- Implementing multi-factor authentication (MFA) for RDS instances adds an extra layer of security.
- Regularly update and patch the operating system and database software to address any security vulnerabilities.
- Enable AWS CloudTrail logging to keep track of any security-related changes made to RDS instances.
- Perform regular security audits and vulnerability assessments to identify and remediate any potential risks.
Note: The remediation steps mentioned above are generic and may vary depending on your specific AWS infrastructure setup and RDS instance configuration. Always refer to the official AWS documentation for detailed instructions.