Profile Applicability:

  • Level 1

Description:
 Amazon RDS instances, including Aurora, should be deployed within a Virtual Private Cloud (VPC) to isolate them from the public internet and provide an additional layer of security. A VPC allows for control over networking configuration, including IP address range, subnets, route tables, and network gateways, to secure the database and resources.

Rationale:
 Deploying database instances within a VPC provides a secure and isolated environment, reducing exposure to potential threats and unauthorized access. It enables control over inbound and outbound network traffic through security groups, NACLs, and route tables, and ensures that instances are not publicly accessible unless explicitly configured.

Impact:
 If an RDS instance is not deployed within a VPC, it may be exposed to the public internet, which could lead to security risks such as unauthorized access or data breaches. Enabling VPC ensures that databases are securely isolated from the internet and only accessible by authorized users or services.

Default Value:
 By default, Amazon Aurora is deployed within a VPC when created in the AWS Management Console. However, it may not be explicitly configured for network isolation in some cases.

Pre-requisites:

  • An AWS account with Amazon Aurora database instances.

  • A VPC configured for secure networking.

  • Knowledge of VPC subnets, security groups, and NACLs.

Remediation:

Test Plan:

Using AWS Console:

  1. Navigate to RDS Dashboard and select the Aurora instance.

  2. Check the VPC ID in the Connectivity & Security section to ensure that the instance is deployed inside a VPC.

  3. Review the Subnet Group and ensure that the Aurora instance is associated with a private subnet, not a public one.

  4. Verify the Security Groups associated with the Aurora instance to ensure proper network access control.

Using AWS CLI:

  1. Run the following command to verify the VPC and subnet for the Aurora instance:

    aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier,VpcId:DBSubnetGroup.VpcId}"

  2. Check the security group association:

    aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier,SecurityGroups:VpcSecurityGroups}"

Implementation Plan

Using AWS Console:

  1. In the RDS Dashboard, go to Launch DB Instance and select the Amazon Aurora engine.

  2. Under Connectivity, select the VPC where the Aurora instance will be deployed.

  3. Ensure that the Subnet Group is configured for private subnets to isolate the database from the public internet.

  4. Assign appropriate Security Groups to control access to the database.

  5. Review other settings such as IAM roles, parameter groups, and maintenance windows before launching the instance.

Using AWS CLI:

  1. Create a new Aurora instance within a VPC:

    aws rds create-db-instance --db-instance-identifier <db-instance-id> --db-instance-class db.r5.large --engine aurora --vpc-security-group-ids <sg-id> --db-subnet-group-name <subnet-group> --vpc-id <vpc-id>

  2. Modify an existing instance to move it to a VPC:

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --vpc-security-group-ids <sg-id> --db-subnet-group-name <subnet-group> --apply-immediately

  3. Ensure the instance is properly connected to the VPC:

    aws rds describe-db-instances --db-instance-identifier <db-instance-id> --query "DBInstances[].{VpcId:DBSubnetGroup.VpcId}"

Backout Plan

Using AWS Console:

  1. In the RDS Dashboard, go to the Modify DB Instance page.

  2. Change the VPC and Subnet Group settings to revert to a previous configuration.

  3. Review and reapply Security Groups as necessary.

  4. Apply the changes and restart the instance if required.

Using AWS CLI:

  1. Modify the Aurora instance to revert to the previous VPC or subnet:

     aws rds modify-db-instance --db-instance-identifier <db-instance-id> --vpc-security-group-ids <old-sg-id> --db-subnet-group-name <old-subnet-group> --apply-immediately

  2. Detach the instance from the current VPC and assign it back to the previous configuration.

  3. Verify the change by checking the VPC and subnet associations:

    aws rds describe-db-instances --db-instance-identifier <db-instance-id> --query "DBInstances[].{VpcId:DBSubnetGroup.VpcId}"

References: