Description:

Amazon RDS databases can be launched in the public or private subnet of a VPC. Ensure that no AWS RDS database instances are provisioned inside VPC public subnets in order to protect them from direct exposure to the Internet. Since database instances are not Internet-facing and their management (running software updates, implementing security patches, etc) is done by Amazon, these instances should run only in private subnets.


Rationale:

 provisioning your RDS instances within private subnets (logically isolated sections of AWS VPC) you will prevent these resources from receiving inbound traffic from the public Internet, therefore have a stronger guarantee that no malicious requests can reach your database instances.


Impact:

Talking of security and data, Amazon RDS (Relational Database Service) has instances that store large volumes of crucial and sensitive organizational data. Organizations cannot afford to risk this data at any cost. So, it is important to make sure that your AWS RDS instances are secured. Therefore, certain security practices should be followed which help in securing your database and minimize the risk of security attacks in your cloud infrastructure.


Default Value:

AWS RDS Instances depend on what we choose while creating instances.


Audit:

Step 1: Login to the AWS Management Console.

Step 2: Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

Step 3: In the left navigation panel, under RDS Dashboard, click Databases.

Step 4: Select the RDS instance that you want to examine.

Step 5: On the Connectivity & security tab, in the Networking section, click the subnet link available under Subnets, e.g.

Step 6: Select the subnet listed on the page and click the Route Table tab from the dashboard bottom panel. If the route table contains any entries with the destination CIDR block set to 0.0.0.0/0 and with an Internet Gateway (e.g. igw-xxxxxxxx) attached: 


the selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and can be accessible from the Internet.


Step 7: Repeat steps no. 5 and 6 to determine the type (public or private) of other VPC subnets associated with the selected RDS instance.


Remediation:

Pre-Requisite:

  • To move your RDS database instances from public subnets to private subnets, you must replace their current subnet groups with the ones that contain VPC private subnets. 

  • Before implementation, you must take a snapshot of your RDS instance


Implementation Steps:

Step 1: Log in to AWS Management console

step 2: Navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.

Step 3: In the left navigation panel, under RDS Dashboard, click Databases.

Step 4: Select the RDS instance that you want to migrate to the private subnet(s) (see Audit section part I to identify the right resource(s)).

Step 5: From the dashboard top menu, select Take Snapshot to create a database snapshot (backup).

Step 6: On the Take DB Snapshot page, in the Snapshot Name box, enter a unique name for the database backup then click Take Snapshot to send the request.

Step 7: Go back to the Databases page and select again the RDS instance that you want to migrate.

Step 8: Click Modify button from the dashboard top menu.

Step 9: On the Modify DB Instance: <instance identifier> page, perform the following actions:

  1. Select the appropriate DB Subnet Group (i.e. the one that contains only private subnets, usually created in another VPC) from the Subnet Group dropdown list.

  2. At the bottom of the page, select Apply Immediately checkbox to apply the subnet group change immediately and t save your changes.

Step 10: choose Back to edit your changes or Cancel to cancel your changes


Via CLI:

aws rds modify-db-instance ^ 

--db-instance-identifier mydbinstance ^ 

--backup-retention-period 7 ^ 

--deletion-protection ^ 

--no-apply-immediately


Backout plan :

To revoke the changes follow the same Implementation steps and make configuration as required.


Reference:

VPC with public and private subnets (NAT) - Amazon Virtual Private Cloud 

Modifying an Amazon RDS DB instance - Amazon Relational Database Service 

Amazon RDS instances should no be present in public subnet