Description:

Lightsail is a  Virtual Private Server (VPS) that provides developers compute, storage, and networking capacity and capabilities to deploy and manage websites and web applications in the cloud. Lightsail includes everything you need to launch your project quickly – virtual machines, containers, databases, CDN, load balancers, DNS management etc. – for a low, predictable monthly price.


Rationale:

When public mode is enabled, anyone with your database user name and password can connect to it. Therefore it is recommended to Disable public access on the Amazon Lightsail RDS.


Impact:

When the public mode is disabled, only your Lightsail resources in the same Region as your database can connect to it.


Default Value:

There is no default value. But it can be defined at the time of creation.


Audit:

  • via Management Console

  1. Sign in to the AWS Management console

  2. Navigate to Amazon Lightsail service at https://lightsail.aws.amazon.com/ls

  3. On the Databases tab, choose the database on which you want to check the public mode.

  4. Under Connect section, scroll to Endpoint and port to view the warning that displays the public mode status.

  5. If public mode is Enabled, the RDS is publicly accessible
  6. If public mode is Disabled, the RDS is NOT publicly accessible


  • via CLI

  1. Use get-relational-databases command to get the information about all your databases in Amazon Lightsail.

    aws lightsail get-relational-databases
      --output table
  2. In each row (database), look for the publiclyAccessible attribute of the database.

    If the value is True, the Lightsail RDS is publicly accessible

    If the value is False, the Lightsail RDS is NOT publicly accessible


Remediation:

Pre-Requisite:

  1. Access to Amazon Lightsail service

  2. The Database that you want to work must be Active/Accessible.


 Implementation steps:

  • via Management Console

  1. Sign in to the AWS Management console

  2. Navigate to Amazon Lightsail service at https://lightsail.aws.amazon.com/ls

  3. On the Databases tab, choose the database on which you want to modify the public mode.

  4. Under Networking section, Network security has the public mode.

  5. Turn it OFF to disable the public mode.


  • via CLI

  1.  Use update-relational-database command to update one or more attributes of a database in Amazon Lightsail.

    aws lightsail update-relational-database
      --relational-database-name <value>
      --no-publicly-accessible


Backout Plan:

  • via Management Console

 If the Lightsail RDS initially was publicly accessible, you can revert changes to turning ON the public mode under Networking section to make it publicly accessible again.


  • via CLI

  1.  If the Lightsail RDS initially was publicly accessible, you can revert changes using update-relational-database command and make it publicly accessible again.

    aws lightsail update-relational-database
      --relational-database-name <value>
      --publicly-accessible

Note:

  • To be able to update the Lightsail RDS, the Database must be Available

  • While updating the RDS, the status is set to Modifying. Once the changes are applied successfully, the status becomes Available.

  • It could take 2-3 mins for the database to be available again after updating the status of public mode(On/Off). 

Reference:

https://docs.aws.amazon.com/lightsail/
lightsail — AWS CLI 1.20.64 Command Reference

get-relational-databases — AWS CLI 1.20.63 Command Reference 

update-relational-database — AWS CLI 1.20.63 Command Reference