iCompaas Support

Profile Applicability

• Level 1
  
  

Description

Regularly reviewing and updating the security configuration of your AWS database environment ensures alignment with your organization's security requirements and helps prevent unauthorized access, data leaks, or misconfigurations.

Rationale

By periodically evaluating access permissions, encryption settings, network security, and logging configurations, organizations can identify and address security gaps, ensuring that only authorized entities have access to sensitive resources and that the infrastructure remains resilient against threats.

Impact

Pros:

• Reduces the risk of unauthorized access.
  
  

• Aligns with compliance standards.
  
  

• Helps detect and mitigate misconfigurations.
  
  

Cons:

• May introduce service disruptions if changes are not properly tested.
  
  

• Requires coordination among teams for implementation.
  
  

Default Value

AWS does not enforce periodic security configuration reviews by default.

Pre-Requisites

• IAM permissions to review and modify database configuration.
  
  

• Access to monitoring and logging tools (e.g., CloudWatch, CloudTrail).
  
  

• Access to Timestream, RDS, Keyspaces, or relevant database service consoles.
  
  

Remediation

Test Plan

1. Review IAM roles and policies.
   
   

2. Review audit logging and monitoring configurations.
   
   

3. Review encryption settings.
   
   

4. Review access control (ACLs, Security Groups, etc.).
   
   

5. Review network and VPC configurations.

Implementation Plan

Using AWS Console

1. Sign in to the AWS Management Console.
   
   

2. Navigate to the relevant database service (e.g., RDS, Timestream, Keyspaces).
   
   

3. Select the database instance or keyspace.
   
   

4. Go to the Configuration or Security tab.
   
   

5. Review and update:
   
   

   • IAM policies for least privilege access.
     
     

   • Access control lists and roles.
     
     

   • Security group rules and network ACLs.
     
     

   • Encryption settings at rest and in transit.
     
     

   • Audit logging settings in CloudWatch or CloudTrail.
     
     

6. Save changes after validating the updates.
   
   

Using AWS CLI

List databases and their configuration:

aws rds describe-db-instances

Get IAM policies and roles attached

aws iam list-attached-role-policies --role-name <role-name>

Review security group rules:

aws ec2 describe-security-groups --group-ids <group-id>

Check encryption settings:

aws rds describe-db-instances --query "DBInstances[*].StorageEncrypted"

Check CloudWatch log group settings:

aws logs describe-log-groups

1. Modify or apply updated security settings as required using modify-db-instance, put-log-events, etc.

Backout Plan

Using AWS Console

1. Revert to the previous IAM roles or configurations using backup documentation or snapshots.
   
   

2. Restore old access control settings.
   
   

3. Reapply previous network security rules.
   
   

4. Disable or revert encryption or logging changes if necessary.
   
   

Using AWS CLI

Restore old IAM policy:

aws iam attach-role-policy --role-name <role-name> --policy-arn <old-policy-arn>

Revert security group:

aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol <protocol> --port <port> --cidr <old-cidr>

Disable logging (if required temporarily):

aws logs delete-log-group --log-group-name <log-group-name>

References

• https://aws.amazon.com/products/databases/
  
  

• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
  

CIS Controls Mapping