iCompaas Support

Profile Applicability:

• Level 1

Description:
 Regular reviews of security configurations across your AWS-managed databases help ensure that permissions, encryption, logging, and access settings remain compliant with security best practices and organizational policies.

Rationale:
 As systems evolve and users change, configurations may drift from their secure state. Periodic reviews help detect misconfigurations, unused privileges, or disabled controls that could lead to security breaches or non-compliance.

Impact:
 Pros:

• Ensures adherence to least privilege
  

• Identifies misconfigurations before they are exploited
  

• Supports compliance audits and reporting
  

Cons:

• Requires regular administrative effort
  

• Can be overlooked without automation or scheduling
  

Default Value:
 No automatic review schedule is applied by default. Manual review must be enforced by the organization.

Pre-requisites:

• IAM permissions to view and modify configurations
  

• Access to AWS Console or CLI
  

• Knowledge of current security baseline
  

Remediation:

Test Plan

Using AWS Console:

1. Sign in to the AWS Console
   

2. Navigate to RDS, ElastiCache, or MemoryDB
   

3. Select the database instance
   

4. Review the following under Configuration and Security tabs:
   

   • IAM role associations
     

   • Security groups and NACLs
     

   • Encryption at rest and in transit
     

   • CloudWatch logging settings
     

   • Backup and retention policies
     

Using AWS CLI:

1. List DB instances:
   

    aws rds describe-db-instances

2. Check encryption:
   

   aws rds describe-db-instances --query "DBInstances[*].StorageEncrypted"

3. Review log exports:
   

   aws rds describe-db-instances --query "DBInstances[*].EnabledCloudwatchLogsExports"

4. Review attached security groups:
   

    aws ec2 describe-security-groups --group-ids <sg-id>

5. List IAM role trust policies:
   

    aws iam get-role --role-name <role-name>

Implementation Plan

Using AWS Console:

1. Sign in to the AWS Console
   

2. Go to each database service in use (e.g., RDS, MemoryDB)
   

3. Review security groups and remove overly permissive rules
   

4. Review IAM roles and adjust permissions for least privilege
   

5. Ensure encryption at rest and in transit is enabled
   

6. Validate CloudWatch logging and alerting are configured
   

7. Review and set backup retention policies appropriately
   

Using AWS CLI:

1. Describe DB instances to review configurations:
   

    aws rds describe-db-instances

2. Revoke unnecessary ingress rules:
   

    aws ec2 revoke-security-group-ingress --group-id <sg-id> --protocol tcp --port 3306 --cidr 0.0.0.0/0

3. Update IAM role to restrict privileges:
   

    aws iam update-assume-role-policy --role-name <role-name> --policy-document file://least-privilege-policy.json

4. Enable log exports if missing:
   

    aws rds modify-db-instance --db-instance-identifier <id> --cloudwatch-logs-export-configuration EnableLogTypes=["error","general"] --apply-immediately

5. Modify backup retention if needed:
   

    aws rds modify-db-instance --db-instance-identifier <id> --backup-retention-period 7 --apply-immediately

Backout Plan

Using AWS Console:

1. Revert IAM role or security group changes from previous backups or saved templates
   

2. Reset encryption and logging to previous settings
   

3. Restore prior backup retention period if necessary
   

Using AWS CLI:

1. Restore previous IAM policy:
   

    aws iam update-assume-role-policy --role-name <role-name> --policy-document file://old-policy.json

2. Restore removed security group rules:
   

    aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 3306 --cidr 0.0.0.0/0

3. Disable recent log exports:
   

   aws rds modify-db-instance --db-instance-identifier <id> --cloudwatch-logs-export-configuration DisableLogTypes=["general"] --apply-immediately

References:

• AmazonRDS
  

• IAM