iCompaas Support

Profile Applicability:

• Level 1

Description:
Security Groups act as virtual firewalls for your Amazon Aurora instances, controlling both inbound and outbound traffic. Proper configuration ensures that only approved sources and destinations can access your database, thereby minimizing the attack surface.

Rationale:
 Configuring security groups helps enforce access control by defining rules that restrict incoming and outgoing traffic to the database. This limits exposure to unauthorized sources and ensures compliance with the principle of least privilege.

Impact:
 Improperly configured security groups may expose your database to the public internet or unauthorized internal sources, increasing the risk of data breaches or other attacks. Proper configuration mitigates these risks.

Default Value:
 By default, AWS allows all outbound traffic and no inbound traffic when a new security group is created.

Pre-requisites:

• An AWS account
  

• Amazon Aurora instance launched
  

• Basic understanding of VPC, EC2, and RDS services
  

Remediation

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to EC2 > Network & Security > Security Groups.
   

3. Identify the security groups associated with your Aurora instances.
   

4. Review inbound and outbound rules to ensure they are restricted to required sources/destinations only.
   

Using AWS CLI:

1. Run 
   

   aws ec2 describe-security-groups

2. Parse the output to list security groups associated with Aurora instances.
   

3. Verify the IpPermissions (inbound) and IpPermissionsEgress (outbound) sections for appropriate rules.
   

Implementation Plan

Using AWS Console:

1. Go to EC2 Dashboard > Security Groups.
   

2. Click Create Security Group.
   

3. Set name, description, and select the appropriate VPC.
   

4. Under Inbound rules, add only necessary protocols (e.g., MySQL/Aurora from a specific IP range).
   

5. Under Outbound rules, restrict if necessary (default is allow all).
   

6. Attach this security group to your Aurora instance via RDS > Databases > Modify > Connectivity > VPC security group.
   

Using AWS CLI:

1. Create security group:
   

    aws ec2 create-security-group --group-name AuroraSG --description "Security group for Aurora" --vpc-id <vpc-id>

   
   

2. Add inbound rule:
   

   aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 3306 --cidr <allowed-ip-range>

   
   

3. Attach the security group to Aurora DB:
   

    aws rds modify-db-instance --db-instance-identifier <db-id> --vpc-security-group-ids <sg-id> --apply-immediately

   
   

Backout Plan

Using AWS Console:

1. Navigate to EC2 > Security Groups.
   

2. Detach the newly created security group from the Aurora instance.
   

3. Reassign the previous security group via RDS > Modify.
   

4. Delete the newly created group if not required.
   

Using AWS CLI:

1. Reassign previous security group:

   aws rds modify-db-instance --db-instance-identifier <db-id> --vpc-security-group-ids <old-sg-id> --apply-immediately

   
   

2. Delete custom group:
   

    aws ec2 delete-security-group --group-id <sg-id>

   
   

References:

• AWS Cloud Databases
  

• Controlling access with security groups