Description:
Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching, and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security, and compatibility they need.
Rationale:
Publicly accessible RDS instances allow any AWS user or anonymous user access to the data in the database. RDS instances should not be publicly accessible. Check for any public-facing RDS database instances provisioned in your AWS account and restrict unauthorized access to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.
Impact:
When the VPC security group associated with an RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, SQL injections, or DoS/DDoS attacks.
Default Value:
By default, RDS will not access publicly.
Pre-requisites:
Sign in as admin or IAM user with required permissions
Note down existing security group permissions
Remediation:
Test Plan:
Sign in to the AWS management console
Go to RDS service at https://console.aws.amazon.com/rds
Click on the Databases in the left navigation pane
Click on the Database name you want to examine
Under the connectivity & security tab, check whether it is publicly available or not and the security group associated with it
If the Publicly accessible status is set to yes and the security group associated with the instance allows access to everyone, i.e. 0.0.0.0/0, it means RDS is Publicly available.
Using AWS CLI
aws rds describe-db-instances
--region us-east-1
--output table
--query 'DBInstances[*].DBInstanceIdentifier'Implementation Steps:
Sign in to the AWS management console
Go to RDS service at https://console.aws.amazon.com/rds
Click on the Databases in the left navigation pane
Select the Database you want to change and click on Modify
On the Modify DB Instance page, under the Connectivity section, next to Security Group, click on each active security group name to select it for editing.
Select the Inbound tab and click the Edit inbound rules button.
In the Edit inbound rules dialog box, go-to the source column and perform one of the following actions to restrict the inbound traffic: Click on source dropdown
Select My IP to allow inbound traffic only from your machine (i.e, from your IP address only).
Select Custom and enter IP addresses or name or ID of another security group based on your access requirements
Click Save to apply the changes.
Click on Additional configuration and choose Not publicly accessible under Publicly Access to disable the flag and restrict public access.
Click on the Continue
In the Scheduling of modifications section, perform one of the following actions based on your requirements:
Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
Select Apply immediately to apply the changes right away.
Click on Modify DB Instance
Using AWS CLI:
- Disable ‘Publicly Accessible’ for the RDS instance- for Linux, macOS, or Unix
aws rds modify-db-instance --db-instance-identifier mydbinstance --no-publicly-accessible --no-apply-immediately- Disable ‘Publicly Accessible’ for the RDS instance- for Windows
aws rds modify-db-instance --db-instance-identifier mydbinstance --no-publicly-accessible --no-apply-immediatelyBackout plan:
To revoke the changes follow the implementation steps and choose Publicly accessible in step 6 and make the same configurations in security groups as you noted.