iCompaas Support

Profile Applicability:

• Level 1

Description:
 Security groups in AWS act as virtual firewalls that control inbound and outbound traffic to resources such as database instances. Proper configuration ensures controlled access and protects against unauthorized communication.

Rationale:
 Only explicitly allowed network traffic should be permitted to access databases. Security groups provide fine-grained access control, helping enforce least privilege and reduce the attack surface.

Impact:
 Pros:

• Limits access to known IPs or services
  

• Enforces network segmentation
  

• Helps meet compliance requirements
  

Cons:

• Misconfiguration may result in blocked access or exposure
  

• Requires ongoing rule review and management
  

Default Value:
 New security groups allow all outbound traffic but no inbound traffic by default.

Pre-requisites:

• Existing VPC
  

• IAM permissions to create and modify security groups
  

• Identified source IPs or security group IDs for permitted access
  

Remediation:

Test Plan

Using AWS Console:

1. Sign in to the AWS Console
   

2. Navigate to RDS > Databases
   

3. Select the target database instance
   

4. Open the Connectivity & security tab
   

5. Review the associated security groups
   

6. Confirm that inbound rules allow access only from trusted sources
   

7. Confirm that outbound rules are appropriate for expected traffic
   

Using AWS CLI:

1. List associated security groups for the DB instance:
   

   aws rds describe-db-instances --db-instance-identifier <your-db-instance-identifier> --query "DBInstances[*].VpcSecurityGroups[*].VpcSecurityGroupId"

2. Describe the security group to inspect its rules:
   

   aws ec2 describe-security-groups --group-ids <sg-id>

Implementation Plan

Using AWS Console:

1. Sign in to the AWS Console
   

2. Navigate to VPC > Security Groups
   

3. Click Create security group
   

4. Provide a name, description, and select the correct VPC
   

5. Add inbound rules (e.g., TCP port 3306 from known IPs or security groups)
   

6. Add outbound rules as needed
   

7. Click Create security group
   

8. Go to RDS > Databases, select the target DB instance
   

9. Click Modify
   

10. Under Connectivity, choose the new security group
    

11. Select Apply immediately and click Modify DB Instance
    

Using AWS CLI:

1. Create a security group:
   

    aws ec2 create-security-group --group-name db-sg --description "DB access" --vpc-id <vpc-id>

2. Add inbound rule to allow database traffic (e.g., MySQL):
   

    aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 3306 --cidr <trusted-ip>/32

3. (Optional) Add outbound rule to allow all traffic:
   

    aws ec2 authorize-security-group-egress --group-id <sg-id> --protocol -1 --port all --cidr 0.0.0.0/0

4. Modify RDS instance to use the new security group:
   

    aws rds modify-db-instance --db-instance-identifier <your-db-instance-identifier> --vpc-security-group-ids <sg-id> --apply-immediately

Backout Plan

Using AWS Console:

1. Navigate to RDS > Databases, select the instance
   

2. Click Modify
   

3. Under VPC security groups, select the previously used security group
   

4. Click Apply immediately and confirm modification
   

Using AWS CLI:

1. Revert to old security group:
   

    aws rds modify-db-instance --db-instance-identifier <your-db-instance-identifier> --vpc-security-group-ids <previous-sg-id> --apply-immediately

References:

• AWS Security Groups Documentation
  

• CIS AWS Database Services Benchmark v1.0.0, Section 3.4