iCompaas Support

Profile Applicability:

• Level 1

Description:

All Amazon RDS instances should be deployed within a Virtual Private Cloud (VPC) to ensure that network security and isolation are properly managed. A VPC allows you to create a secure and isolated network within the AWS cloud where your RDS instances can reside, providing control over IP address ranges, subnets, routing, and network gateways. Ensuring that RDS instances are deployed within a VPC is a fundamental security practice to protect database instances from unwanted public access and to control their network traffic.

Rationale:

• Security: Deploying RDS instances within a VPC ensures that the database is not exposed directly to the internet, providing a secure environment.

• Network Isolation: A VPC allows for granular control over the network traffic to and from RDS instances, such as controlling which IP ranges can access the instances, and using Security Groups and Network ACLs for traffic filtering.

• Compliance: Many regulatory frameworks (e.g., PCI-DSS, HIPAA) require database instances to be isolated within private networks, ensuring that sensitive data is protected.

• Best Practice: AWS recommends using VPCs for all RDS deployments as the default networking option for enhanced security and flexibility.

Impact:

Pros:

• Improved Security: Isolating RDS instances within a VPC minimizes exposure to public networks and reduces the risk of unauthorized access.

• Network Control: You have full control over routing, subnets, and network access, allowing for custom network architectures (private/public subnets, security groups, etc.).

• Enhanced Compliance: Meets the security requirements of regulatory frameworks that mandate network isolation.

Cons:

• Increased Complexity: Configuring and managing VPC settings, subnets, and security policies can be more complex compared to using the default network settings.

• Initial Setup Time: Ensuring the proper configuration of VPCs, routing, and security policies requires additional time and effort during setup.

Default Value:

By default, when you create an RDS instance via the AWS Console, the instance is launched inside a VPC. However, it’s essential to check whether the RDS instance is correctly deployed within the desired VPC, particularly in cases where manual configurations or migrations have occurred.

Pre-requisite:

• AWS IAM Permissions:

  • rds:DescribeDBInstances

  • ec2:DescribeVpcs

• AWS CLI installed and configured.

• Ensure you have access to the RDS instance and can query its network settings.

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon RDS under Services.

3. In the RDS Dashboard, go to Databases.

4. Select the RDS instance you want to check.

5. In the Configuration tab, under the Network & Security section, check the VPC.

   • The VPC should be listed under the VPC field.

   • If the field is blank or shows a default setting that doesn’t match your desired VPC, the RDS instance is not deployed within the correct VPC.

6. If the RDS instance is not within the desired VPC, modify the instance and associate it with the correct VPC.

Using AWS CLI:

1. To check if the RDS instance is deployed within a VPC, run the following command:
   

   aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,VpcId:DBSubnetGroup.VpcId}'

2. Review the output:

• If the VpcId is associated with the expected VPC, the RDS instance is correctly deployed within the VPC.

• If the VpcId is not correct, the RDS instance is not properly configured within the desired VPC.

Implementation Steps:

Using AWS Console:

1. Log in to the AWS Management Console and navigate to Amazon RDS.

2. In the RDS Dashboard, select Databases and choose the RDS instance you want to check.

3. Verify the VPC under the Network & Security section of the Configuration tab.

4. If the RDS instance is not in the correct VPC, click Modify.

5. Under the Network & Security section, choose the correct VPC for the instance.

6. Save the changes and confirm that the RDS instance is now deployed in the correct VPC.

Using AWS CLI:

1. To check the VPC where the RDS instance is deployed, run:
   

   aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,VpcId:DBSubnetGroup.VpcId}'

2. If the VPC is incorrect, use the following command to modify the RDS instance and associate it with the desired VPC:
   

   aws rds modify-db-instance --db-instance-identifier <db-instance-id> --vpc-security-group-ids <security-group-ids> --apply-immediately

3. Verify the new settings by running the describe command again:
   

   aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,VpcId:DBSubnetGroup.VpcId}'

Backout Plan:

Using AWS Console:

1. If migrating the RDS instance to a VPC causes issues, sign in to the AWS Management Console.

2. Navigate to Amazon RDS, select the DB instance, and modify the VPC settings.

3. Revert to the previous configuration if necessary, or migrate the instance back to the default VPC.

Using AWS CLI:

1. If migration to the VPC causes issues, revert the instance to the previous configuration by running:
   

   aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_ID> --db-subnet-group-name <OLD_SUBNET_GROUP_NAME> --vpc-security-group-ids <OLD_SECURITY_GROUP_IDS> --apply-immediately

2. Verify that the RDS instance is now using the previous VPC configuration:
   

   aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_ID>

References:

• Amazon RDS Documentation: Working with VPCs

• AWS CLI: describe-db-instances

• AWS CLI: modify-db-instance

CIS Controls Mapping: