Profile Applicability:
 Level 2

Description:
 Many cloud-based databases offer a "public mode" or an "open access" setting that allows access from any IP address on the internet. This setting can expose the database to unauthorized access, making it vulnerable to attacks such as data breaches or unauthorized manipulation. Disabling public mode ensures that only authorized IP addresses or private networks can access the database, significantly improving its security.

Rationale:
 Enabling public access to a database can leave it open to the public internet, which is a significant security risk. Disabling public mode ensures that only trusted internal systems or authorized external networks can access the database. This is essential for protecting sensitive data and ensuring compliance with security standards and regulations.

Impact:
 Pros:

  • Restricts database access to only trusted networks or IPs.

  • Reduces the risk of unauthorized access and data breaches.

  • Helps meet compliance and regulatory standards, such as GDPR, HIPAA, and SOC 2.

  • Increases overall security posture by reducing the attack surface.

Cons:

  • Requires configuration to specify which IP addresses or networks should be allowed access.

  • Potential for service disruption if not configured correctly, especially if legitimate services require access from external IPs.

Default Value:
 By default, many database services allow public access unless restricted by network configurations (like firewalls or VPC settings). Public access should be manually disabled during initial configuration or after deployment.

Pre-requisites:

  • AWS IAM permissions (if using cloud services like AWS, GCP, or Azure):
    rds:DescribeDBInstances (for AWS RDS)
    gcp:DescribeDatabaseInstances (for GCP Cloud SQL)
     azure:ListDatabases (for Azure SQL)

  • Appropriate network settings for your database, such as firewalls, security groups, or VPC settings, to restrict access.

  • Access to the database configuration settings to verify the public mode status.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to RDS and select Databases from the left menu.

  3. Select the database instance you want to check.

  4. In the Connectivity & Security section, check the Publicly Accessible setting.

    • If set to Yes, public mode is enabled, and you should disable it.

    • If set to No, the database is not publicly accessible.

  5. If public mode is enabled, modify the database instance settings to disable public access by setting Publicly Accessible to No.

  6. Save the changes and confirm that the database is no longer publicly accessible.

Using AWS CLI:

  1. List all database instances:

    aws rds describe-db-instances --query "DBInstances[*].DBInstanceIdentifier"

  2. For each database instance, check if public access is enabled:

    aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --query "DBInstances[0].PubliclyAccessible"

  3. If public access is enabled (true), disable it by running:

    aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --publicly-accessible false

  4. Confirm that public access has been disabled:

    aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --query "DBInstances[0].PubliclyAccessible"

Implementation Plan:

Using AWS Console:

  1. Open the RDS Console and select Databases.

  2. Choose the database instance to modify.

  3. In the Connectivity & Security section, change Publicly Accessible to No.

  4. Save the changes and monitor the instance for any connectivity issues.

Using AWS CLI:

  1. Run the modify-db-instance command to disable public access:

    aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --publicly-accessible false

  2. Verify that the change was applied:

    aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --query "DBInstances[0].PubliclyAccessible"

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon SageMaker and select Notebook instances.

  3. Select the Notebook instance that has encryption enabled.

  4. Click Edit and disable encryption or switch to another KMS key (e.g., default AWS-managed key).

  5. Save the changes and monitor the notebook instance to ensure it functions correctly.

Using AWS CLI:

  1. Identify the affected database and check connectivity.

  2. Re-enable public access by modifying the database instance settings:

    aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --publicly-accessible true

  3. Confirm that the database is publicly accessible:

    aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --query "DBInstances[0].PubliclyAccessible"

  4. Troubleshoot any related connectivity or access control issues.

  5. Document the changes and backout process for compliance and auditing purposes.

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

4.1

Ensure databases are not publicly accessible, unless absolutely necessary, by configuring access controls and firewalls.

7.1

8.1

Disable public access to databases to prevent unauthorized access and reduce the attack surface of critical infrastructure.