iCompaas Support

Profile Applicability:

Level 1

Description:

Amazon RDS should not be publicly accessible to prevent unauthorized access to sensitive data. A publicly accessible RDS instance allows any internet-based attacker to attempt to connect to the database.

Rationale:

• Restricts exposure of the database to the public internet.

• Minimizes attack vectors like brute-force login attempts and SQL injection.

• Ensures compliance with security best practices (SOC 2, PCI-DSS, GDPR, HIPAA).

• Prevents data breaches by limiting access to only internal applications and users.

Impact:

• If RDS is not publicly accessible, only resources within the same VPC can connect.

• Access must be explicitly allowed via VPC security groups and IAM roles.

• Certain AWS services may require adjustments, such as Lambda, EC2, or on-prem applications.

Default Value:

By default, AWS RDS does not enable public access unless explicitly configured.

Pre-Requisites:

1. IAM permissions to modify RDS instances:

   • rds:DescribeDBInstances, rds:ModifyDBInstance, ec2:DescribeRouteTables

2. AWS CLI installed (for automation)

3. List of all RDS instances in your AWS account

Remediation:

Test Plan:

Using AWS Console

Step 1: Check if an RDS Instance is Publicly Accessible

1. Log in to the AWS Management Console

2. Navigate to RDS Dashboard → Amazon RDS Console

3. Click Databases

4. Select an RDS instance.          

5. Click Connectivity & security.

6. Under Security group rules, check if Publicly Accessible is set to Yes.

Step 2: Check If RDS is in a Public Subnet

1. Navigate to Amazon VPC Console → Amazon VPC Console

2. Click Subnets

3. Select the subnet associated with the RDS instance

4. Click Route Table → Check if there is a route with Destination: 0.0.0.0/0  

5. If Gateway ID is an Internet Gateway (igw-xxxxxx), the subnet is public        

Using AWS CLI

Step 1: List All RDS Instances

aws rds describe-db-instances --query 'DBInstances[*].DBInstanceIdentifier'

Find the RDS instance(s) that need verification.

Step 2: Check If an RDS Instance is Publicly Accessible

aws rds describe-db-instances --db-instance-identifier <db-name> --query 'DBInstances[*].PubliclyAccessible'

Expected Output (If private):

[

    false

]

aws rds describe-db-instances --db-instance-identifier <db-name> --query 'DBInstances[*].DBSubnetGroup.Subnets[*].SubnetIdentifier'

aws ec2 describe-route-tables --filters "Name=association.subnet-id,Values=<subnet-id>" --query 'RouteTables[*].Routes'

Implementation Steps:

Using AWS Console

Step 1: Modify RDS Public Accessibility

1. Log in to the AWS Console

2. Navigate to Amazon RDS Console

3. Click Databases → Select the RDS instance

4. Click Modify

5. Under Connectivity, locate Publicly Accessible → Select No          

6. Click Continue

7. Choose one:

   • Apply immediately → Changes take effect immediately (may cause downtime).

   • Apply during next maintenance window (Recommended for production).

8. Click Modify DB Instance

• The instance is now private.

Step 2: Move RDS to a Private Subnet

1. Navigate to Amazon VPC Console

2. Click Subnets

3. Find the subnet ID associated with RDS

4. Click Route Table            

5. Click Edit routes      

6. Remove any 0.0.0.0/0 routes pointing to an Internet Gateway (igw-xxxxxx)      

7. Save changes

•  The instance is no longer accessible from the internet.

Using AWS CLI

Step 1: Disable Publicly Accessible Setting

aws rds modify-db-instance --db-instance-identifier <db-name> --no-publicly-accessible --apply-immediately

• This makes the instance private immediately.

Step 2: Remove Public Route from the Subnet

aws ec2 delete-route --route-table-id <route-table-id> --destination-cidr-block 0.0.0.0/0

Backout Plan:
If changes cause disruptions: Re-enable public access if necessary: 

aws rds modify-db-instance --db-instance-identifier <db-name> --publicly-accessible --apply-immediately

1. Add a bastion host for secure access.

2. Restore networking configurations via AWS Console.

References:

• Amazon RDS Security Best Practice

• Working with RDS in a VPC