Description:
Lightsail is a Virtual Private Server (VPS) that provides developers compute, storage, and networking capacity and capabilities to deploy and manage websites and web applications in the cloud. Lightsail includes everything you need to launch your project quickly – virtual machines, containers, databases, CDN, load balancers, DNS management etc. – for a low, predictable monthly price.
Rationale:
When public mode is enabled, anyone with your database user name and password can connect to it. Therefore it is recommended to Disable public access on the Amazon Lightsail RDS.
Impact:
When the public mode is disabled, only your Lightsail resources in the same Region as your database can connect to it.
Default Value:
There is no default value. But it can be defined at the time of creation.
Audit:
via Management Console
Sign in to the AWS Management console
Navigate to Amazon Lightsail service at https://lightsail.aws.amazon.com/ls
On the Databases tab, choose the database on which you want to check the public mode.
Under Connect section, scroll to Endpoint and port to view the warning that displays the public mode status.
- If public mode is Enabled, the RDS is publicly accessible
- If public mode is Disabled, the RDS is NOT publicly accessible
via CLI
Use get-relational-databases command to get the information about all your databases in Amazon Lightsail.
aws lightsail get-relational-databases --output table
In each row (database), look for the publiclyAccessible attribute of the database.
If the value is True, the Lightsail RDS is publicly accessible
If the value is False, the Lightsail RDS is NOT publicly accessible
Remediation:
Pre-Requisite:
Access to Amazon Lightsail service
The Database that you want to work must be Active/Accessible.
Implementation steps:
via Management Console
Sign in to the AWS Management console
Navigate to Amazon Lightsail service at https://lightsail.aws.amazon.com/ls
On the Databases tab, choose the database on which you want to modify the public mode.
Under Networking section, Network security has the public mode.
Turn it OFF to disable the public mode.
via CLI
Use update-relational-database command to update one or more attributes of a database in Amazon Lightsail.
aws lightsail update-relational-database --relational-database-name <value> --no-publicly-accessible
Backout Plan:
via Management Console
If the Lightsail RDS initially was publicly accessible, you can revert changes to turning ON the public mode under Networking section to make it publicly accessible again.
via CLI
If the Lightsail RDS initially was publicly accessible, you can revert changes using update-relational-database command and make it publicly accessible again.
aws lightsail update-relational-database --relational-database-name <value> --publicly-accessible
Note:
To be able to update the Lightsail RDS, the Database must be Available
While updating the RDS, the status is set to Modifying. Once the changes are applied successfully, the status becomes Available.
It could take 2-3 mins for the database to be available again after updating the status of public mode(On/Off).
Reference:
https://docs.aws.amazon.com/lightsail/
lightsail — AWS CLI 1.20.64 Command Reference
get-relational-databases — AWS CLI 1.20.63 Command Reference
update-relational-database — AWS CLI 1.20.63 Command Reference