Profile Applicability

  • Level 1

Description:

Amazon RDS instances should not be publicly accessible to minimize the attack surface and reduce the risk of unauthorized access. Ensuring that RDS instances are not publicly accessible prevents direct access from the internet, limiting the exposure of sensitive data to only authorized users and applications within your VPC (Virtual Private Cloud).

By ensuring that RDS instances are not publicly accessible, organizations can enforce better security policies, ensuring that the RDS instances are only reachable from internal networks and authorized services, which reduces the risk of data breaches or unauthorized access.

Rationale:

Ensuring RDS instances are not publicly accessible provides:

  • Reduced attack surface: Prevents internet-based attacks or unauthorized access to the database.

  • Improved security posture: Only allows access from trusted internal networks or services.

  • Compliance: Meets security standards and compliance requirements for databases, such as HIPAA, SOC 2, and PCI-DSS, which require databases to be securely isolated from the public internet.

Without this configuration, RDS instances exposed to the internet can become targets for attackers, risking the integrity and confidentiality of data.

Impact:

Failure to ensure that RDS instances are not publicly accessible can result in:

  • Increased vulnerability to attacks from the public internet.

  • Unauthorized access to databases, potentially exposing sensitive or confidential data.

  • Non-compliance with security regulations requiring database isolation.

Ensuring that RDS instances are not publicly accessible reduces the risk of external threats and ensures compliance with best security practices.

Default Value:

By default, RDS instances are created with Publicly Accessible set to No unless explicitly specified during creation. If an instance is publicly accessible, it will be exposed to the internet unless specific controls are implemented to restrict access.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • rds:DescribeDBInstances

    • rds:ModifyDBInstance

  • AWS RDS instance must be available for configuration

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the RDS Console.

  2. Select the RDS instance and check the Connectivity & security section.

  3. Verify that Publicly Accessible is set to No for the selected instance.

  4. If it is set to Yes, modify the instance to set it to No and save the changes.

Using AWS CLI :

aws rds describe-db-instances --query "DBInstances[?PubliclyAccessible==`true`].{DBInstanceIdentifier:DBInstanceIdentifier, PubliclyAccessible:PubliclyAccessible}" --output table
Implementation Plan:

Using AWS Console:

  1. Ensure RDS instance is not publicly accessible:

    • Go to the RDS Console.

    • Select the instance that you want to configure.

    • Under the Connectivity & security section, set Publicly Accessible to No.

    • Save the changes to ensure the instance is not accessible from the public internet.

  2. Verify the instance settings:

    • After modification, confirm that Publicly Accessible is set to No in the Connectivity & security section.

Using AWS CLI:

  1. Modify the RDS instance to make it not publicly accessible:

aws rds modify-db-instance --db-instance-identifier <db-instance-id> --publicly-accessible false --apply-immediately

  1. Verify the modification:

aws rds describe-db-instances --query "DBInstances[?DBInstanceIdentifier=='<db-instance-id>'].{DBInstanceIdentifier:DBInstanceIdentifier, PubliclyAccessible:PubliclyAccessible}" --output table

Backout Plan:

Using AWS Console:

  1. If making the RDS instance private causes application issues:

    • Go to the RDS Console.

    • Modify the instance and set Publicly Accessible to Yes to allow access from the public internet.

  2. Revert changes to the network security settings to ensure the database can be accessed from external sources, if necessary.

Using AWS CLI:

  1. Temporarily make the instance publicly accessible:

aws rds modify-db-instance --db-instance-identifier <db-instance-id> --publicly-accessible true --apply-immediately

  1. Stop RDS instance modifications if network or application connectivity issues occur:

aws rds stop-db-instance --db-instance-identifier <db-instance-id>

  1. Re-enable access controls once issues are resolved:

aws rds modify-db-instance --db-instance-identifier <db-instance-id> --publicly-accessible false --apply-immediately

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services