Description:

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

 

Rationale:

Publicly accessible RDS instances allow any AWS user or anonymous user access to the data in the database. RDS instances should not be publicly accessible. Check for any public-facing RDS database instances provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.


Impact:  

When the VPC security group associated with an RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, SQL injections or DoS/DDoS attacks.


Default Value:

By default, RDS will not access publicly.


Audit:

  1. Sign in to AWS management console 

  2. Go to RDS service at https://console.aws.amazon.com/rds

  3. Click on the Databases in the left navigation pane 

  4. Click on the Database name you want to examine

  5. Under the connectivity & security tab, check whether it is publicly available or not and security group associated with it

  6. If Publicly accessible status is set to yes and the security group associated with instance allows access to everyone, i.e. 0.0.0.0/0, it means RDS is Publicly available.


Remediation:

Pre-requisites:

  • Sign in as admin or IAM user with required permissions

  • Note down existing security group permissions


Implementation Steps:

  1. Sign in to AWS management console 

  2. Go to RDS service at https://console.aws.amazon.com/rds

  3. Click on the Databases in the left navigation pane

  4. Select the Database you want to change and click on Modify

  5. On the Modify DB Instance page, under Connectivity section, next to Security Group, click on each active security group name to select it for editing.

    1. Select the Inbound tab and click the Edit inbound rules button.

    2. In the Edit inbound rules dialog box, go to source column and perform one of the following actions to restrict the inbound traffic: Click on source dropdown

      1. Select My IP to allow inbound traffic only from your machine (i.e, from your IP address only).

      2. Select Custom and enter IP addresses or name or ID of another security group based on your access requirements

    3. Click Save to apply the changes.

  6. Click on Additional configuration and choose Not publicly accessible under Publicly Access to disable the flag and restrict public access.

  7. Click on the Continue

  8. In the Scheduling of modifications section, perform one of the following actions based on your requirements:

    1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.

    2. Select Apply immediately to apply the changes right away.

  9. Click on Modify DB Instance


Backout plan:

To revoke the changes follow the implementation steps and choose Publicly accessible in step 6 and make the same configurations in security groups as you noted.


Reference:

https://aws.amazon.com/rds/