Profile Applicability:
- Level 1
Description:
Network security in AWS is achieved by controlling inbound and outbound traffic to databases using tools like VPC security groups and NACLs. Ensuring network security is enabled prevents unauthorized access and potential attacks from public or insecure sources.
Rationale:
Proper network security configurations prevent unauthorized users or malicious traffic from reaching database instances. By enabling network security measures, you protect databases from attacks such as DDoS, SQL injection, and unauthorized access.
Impact:
Without network security enabled, databases are vulnerable to external attacks, leading to potential data breaches, data loss, or unauthorized access. Network security helps reduce exposure to these risks.
Default Value:
By default, Amazon Aurora instances are launched within a VPC, and inbound traffic is blocked unless explicitly allowed by security group rules.
Pre-requisites:
An AWS account with VPC and Aurora instances.
Basic knowledge of AWS VPC, security groups, and NACLs.
Remediation:
Test Plan:
Using AWS Console:
Go to VPC > Security Groups and ensure that only necessary IP ranges and ports are allowed for inbound and outbound traffic.
Review the Network ACLs in VPC > Network ACLs and ensure that no inbound traffic is allowed on critical ports like SSH (22) or database ports (3306, 5432) from untrusted IP ranges.
In RDS Dashboard, check that the Aurora instance is within a private subnet and not exposed to the public internet.
Using AWS CLI:
Check the security groups associated with your Aurora instance:
aws ec2 describe-security-groups --group-ids <sg-id>
Verify the NACL rules:
aws ec2 describe-network-acls --network-acl-ids <nacl-id>
Confirm that the Aurora instance is in a private subnet:
aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, DBSubnetGroup:DBSubnetGroup}"
Implementation Plan
Using AWS Console:
Navigate to VPC > Security Groups and create or update the security group to only allow inbound traffic on required ports (e.g., MySQL/Aurora port) from trusted IP addresses.
In VPC > Network ACLs, update rules to deny all inbound traffic on ports that are not explicitly required (e.g., port 22 for SSH, 3306 for MySQL, etc.).
Ensure that the Aurora instance is placed within a private subnet, accessible only from specific, authorized networks.
Using AWS CLI:
Create a new security group for the Aurora instance:
aws ec2 create-security-group --group-name AuroraSG --description "Network security group for Aurora" --vpc-id <vpc-id>
Add inbound rules to the security group:
aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol tcp --port 3306 --cidr <trusted-ip-range>
Modify the NACL to deny inbound traffic on critical ports:
aws ec2 create-network-acl-entry --network-acl-id <nacl-id> --rule-action deny --protocol tcp --port-range 3306 --cidr-block 0.0.0.0/0
Ensure the Aurora instance is in a private subnet:
aws rds modify-db-instance --db-instance-identifier <db-id> --db-subnet-group-name <private-subnet-group> --apply-immediately
Backout Plan
Using AWS Console:
In VPC > Security Groups, remove the restrictive inbound and outbound rules to revert to previous configurations.
In VPC > Network ACLs, remove the deny rules and restore default access.
Move the Aurora instance to a public subnet if needed for accessibility.
Using AWS CLI:
Revert the security group rules:
aws ec2 revoke-security-group-ingress --group-id <sg-id> --protocol tcp --port 3306 --cidr <trusted-ip-range>
Remove NACL deny rules:
aws ec2 delete-network-acl-entry --network-acl-id <nacl-id> --rule-number <rule-number>
Move the Aurora instance to a public subnet (if applicable):
aws rds modify-db-instance --db-instance-identifier <db-id> --db-subnet-group-name <public-subnet-group> --apply-immediately
References: