Profile Applicability:
Level 1
Description:
Amazon RDS should not be publicly accessible to prevent unauthorized access to sensitive data. A publicly accessible RDS instance allows any internet-based attacker to attempt to connect to the database.
Rationale:
Restricts exposure of the database to the public internet.
Minimizes attack vectors like brute-force login attempts and SQL injection.
Ensures compliance with security best practices (SOC 2, PCI-DSS, GDPR, HIPAA).
Prevents data breaches by limiting access to only internal applications and users.
Impact:
If RDS is not publicly accessible, only resources within the same VPC can connect.
Access must be explicitly allowed via VPC security groups and IAM roles.
Certain AWS services may require adjustments, such as Lambda, EC2, or on-prem applications.
Default Value:
By default, AWS RDS does not enable public access unless explicitly configured.
Pre-Requisites:
IAM permissions to modify RDS instances:
rds:DescribeDBInstances, rds:ModifyDBInstance, ec2:DescribeRouteTables
AWS CLI installed (for automation)
List of all RDS instances in your AWS account
Remediation:
Test Plan:
Using AWS Console
Step 1: Check if an RDS Instance is Publicly Accessible
Log in to the AWS Management Console
Navigate to RDS Dashboard → Amazon RDS Console
Click Databases
Select an RDS instance.
Click Connectivity & security.
Under Security group rules, check if Publicly Accessible is set to Yes.
Step 2: Check If RDS is in a Public Subnet
Navigate to Amazon VPC Console → Amazon VPC Console
Click Subnets
Select the subnet associated with the RDS instance
Click Route Table → Check if there is a route with Destination: 0.0.0.0/0
If Gateway ID is an Internet Gateway (igw-xxxxxx), the subnet is public
Using AWS CLI
Step 1: List All RDS Instances
aws rds describe-db-instances --query 'DBInstances[*].DBInstanceIdentifier'
Find the RDS instance(s) that need verification.
Step 2: Check If an RDS Instance is Publicly Accessible
aws rds describe-db-instances --db-instance-identifier <db-name> --query 'DBInstances[*].PubliclyAccessible'
Expected Output (If private):
[
false
]
Step 3: Verify the Subnet Route Table
aws rds describe-db-instances --db-instance-identifier <db-name> --query 'DBInstances[*].DBSubnetGroup.Subnets[*].SubnetIdentifier'
Extract the subnet ID(s) of the RDS instance.
aws ec2 describe-route-tables --filters "Name=association.subnet-id,Values=<subnet-id>" --query 'RouteTables[*].Routes'
Implementation Steps:
Using AWS Console
Step 1: Modify RDS Public Accessibility
Log in to the AWS Console
Navigate to Amazon RDS Console
Click Databases → Select the RDS instance
Click Modify
Under Connectivity, locate Publicly Accessible → Select No
Click Continue
Choose one:
Apply immediately → Changes take effect immediately (may cause downtime).
Apply during next maintenance window (Recommended for production).
Click Modify DB Instance
- The instance is now private.
Step 2: Move RDS to a Private Subnet
Navigate to Amazon VPC Console
Click Subnets
Find the subnet ID associated with RDS
Click Route Table
Click Edit routes
Remove any 0.0.0.0/0 routes pointing to an Internet Gateway (igw-xxxxxx)
Save changes
- The instance is no longer accessible from the internet.
Using AWS CLI
Step 1: Disable Publicly Accessible Setting
aws rds modify-db-instance --db-instance-identifier <db-name> --no-publicly-accessible --apply-immediately
- This makes the instance private immediately.
Step 2: Remove Public Route from the Subnet
aws ec2 delete-route --route-table-id <route-table-id> --destination-cidr-block 0.0.0.0/0
- This ensures the subnet is private.
Backout Plan:
If changes cause disruptions: Re-enable public access if necessary:
aws rds modify-db-instance --db-instance-identifier <db-name> --publicly-accessible --apply-immediately
Add a bastion host for secure access.
Restore networking configurations via AWS Console.