Profile Applicability:
 • Level 1

Description:
 Secure network access ensures that database resources are shielded from unauthorized access. It involves creating VPCs, configuring subnets, setting up security groups, ACLs, VPC endpoints, and testing connectivity.

Rationale:
 A secure network configuration prevents exposure to public networks and ensures that only trusted sources can access the database, enhancing the confidentiality and integrity of data.

Impact:
 • Helps isolate workloads from untrusted networks.
• Limits attack vectors.
 • Improves compliance with network segmentation and security best practices.

Default Value:
 By default, AWS allows basic VPC creation without custom network hardening, requiring manual configuration of security groups and ACLs.

Pre-Requisites:
 • AWS account with access to VPC console
 • Understanding of subnets, security groups, and ACLs

Remediation

Test Plan:

  1. Review if the database is launched inside a private subnet.

  2. Validate that VPC endpoints are configured (if applicable).

  3. Ensure security groups allow access only from trusted sources.

  4. Verify ACLs deny all by default and allow only whitelisted traffic.

  5. Confirm EC2 test instance can connect to DB and external access is blocked.

Implementation Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Go to VPC Console → Create a VPC or select an existing one.

  3. Navigate to Subnets → Create/Assign private subnets.

  4. Go to Security Groups → Create/Modify security group.

  5. Add inbound rules only from trusted IPs or SGs.

  6. Go to Network ACLs → Associate with the subnet and allow required traffic.


  7. Test connectivity using EC2 inside the same VPC and ensure external access fails.

Using AWS CLI:

  1. Create VPC

     aws ec2 create-vpc --cidr-block 10.0.0.0/16


  2. Create subnet

     aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block 10.0.1.0/24

  3. Create security group

     aws ec2 create-security-group --group-name MySG --description "SG for DB" --vpc-id <vpc-id>


  4. Add inbound rule

     aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 5432 --cidr <trusted-ip>/32


  5. Create network ACL

     aws ec2 create-network-acl --vpc-id <vpc-id>


  6. Associate network ACL

     aws ec2 associate-network-acl --subnet-id <subnet-id> --network-acl-id <acl-id>


  7. Create VPC endpoint

     aws ec2 create-vpc-endpoint --vpc-id <vpc-id> --service-name com.amazonaws.region.keyspaces --vpc-endpoint-type Interface


Backout Plan

Using AWS Console:

  1. Disassociate custom ACL from the subnet and associate default ACL.

  2. Modify security group to allow broader inbound rules if required.

  3. Delete or deactivate VPC endpoints.

Using AWS CLI:

  1. Revert SG changes

     aws ec2 revoke-security-group-ingress --group-id <sg-id> --protocol tcp --port 5432 --cidr <trusted-ip>/32


  2. Delete network ACL

     aws ec2 delete-network-acl --network-acl-id <acl-id>


  3. Delete VPC endpoint

     aws ec2 delete-vpc-endpoint --vpc-endpoint-id <endpoint-id>


References:

  1. https://aws.amazon.com/products/databases/

  2. https://console.aws.amazon.com/vpc/

CIS Controls Mapping:

Controls Version

Control

IG1

IG2

IG3

v8

12.2 Establish and Maintain a Secure Network Architecture


v7

11.7 Manage Network Infrastructure Through a Dedicated Network