Profile Applicability: 

Level 2

Description

PostgreSQL database servers use TCP port 5432 to accept connections. Allowing unrestricted access to this port from 0.0.0.0/0 (IPv4) or ::/0 (IPv6) exposes the database to unauthorized access attempts and malicious attacks, such as SQL injection and brute-force attacks. To enhance database security, ingress to port 5432 should be restricted to trusted IP ranges only.

Rationale

  • Enhanced Security: Prevents unauthorized access to PostgreSQL database servers.

  • Risk Mitigation: Reduces exposure to malicious activities, such as brute-force attacks.

  • Compliance: Aligns with security best practices and regulatory requirements.

Impact

Pros:

  • Protects sensitive data stored in PostgreSQL databases.

  • Reduces the attack surface for unauthorized access attempts.

  • Enhances overall security posture and aligns with compliance standards.

Cons:

  • May require configuration of secure alternatives like VPNs or bastion hosts.

  • Could inconvenience users with changing access IPs.

Default Value

By default, security groups may allow unrestricted access to port 5432 if improperly configured.

Pre-Requisite

IAM Permissions:

  • ec2:DescribeSecurityGroups

  • ec2:RevokeSecurityGroupIngress

  • AWS CLI installed and configured.

Remediation

Test Plan:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 Dashboard.

  3. Go to the Security Groups tab.

  4. Identify security groups allowing ingress to port 5432 from 0.0.0.0/0 or ::/0.

Using AWS CLI:

Identify Ingress Rules Allowing Public Access:

aws ec2 describe-security-groups --query "SecurityGroups[*].IpPermissions[?FromPort==`5432` && (contains(IpRanges[].CidrIp, '0.0.0.0/0') || contains(Ipv6Ranges[].CidrIpv6, '::/0'))]"

Implementation Steps: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 Dashboard.

  3. Go to the Security Groups tab.

  4. Identify security groups with rules allowing ingress to port 5432.

  5. Edit the security groups:

    • Remove the rule allowing ingress from 0.0.0.0/0 or ::/0.

    • Restrict access to trusted IP ranges, or remove the rule entirely if PostgreSQL is not required.

  6. Save the changes.

Using AWS CLI:

Revoke Insecure Ingress Rules:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 5432 --cidr 0.0.0.0/0
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 5432 --cidr ::/0


Add Secure Rules for Specific IP Ranges (if required):

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 5432 --cidr <trusted-cidr>


Backout Plan

Using AWS Console:

  1. Re-enable access by adding specific ingress rules as needed.

  2. Monitor the access and ensure it complies with security policies.

Using AWS CLI:

Restore Required Access:

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 5432 --cidr <specific-cidr>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.

v7

9.1

Limit Exposure to External Networks – Use techniques like disabling unnecessary ingress rules.