Profile Applicability:
Level 1
Description:
Configuring VPC security ensures that the Amazon Aurora instance is deployed within a secure and isolated virtual network. It includes configuring security groups, network access control lists (NACLs), and VPC peering to ensure that the database is protected from unauthorized access and that traffic is filtered appropriately.
Rationale:
Proper VPC security configuration helps prevent unauthorized access to the database from external or internal sources. By isolating database instances within a VPC, controlling inbound and outbound traffic, and using security groups and NACLs, an organization can protect sensitive data and meet compliance requirements.
Impact:
Without proper VPC security, the Aurora instance may be exposed to unauthorized access or attacks from the internet or other services within the network. Configuring VPC security properly ensures that only authorized users and services can communicate with the database, reducing the risk of data breaches or unauthorized actions.
Default Value:
By default, Aurora instances are deployed in a VPC, but additional configuration is required to secure the network. Security groups and NACLs must be configured to restrict access and control traffic flow.
Pre-requisites:
An AWS account with administrative access to configure VPC, security groups, and NACLs.
Knowledge of network traffic flow, subnets, and IP addressing within a VPC.
An existing VPC with Aurora instances deployed.
Remediation:
Test Plan:
Using AWS Console:
Navigate to VPC > Security Groups, and verify that security groups are properly configured to restrict access to the Aurora instance. Only authorized IP ranges, VPCs, and services should be allowed.
Review the Network ACLs (NACLs) associated with the Aurora instance’s subnet to ensure that they are properly filtering inbound and outbound traffic.
In RDS > Databases, select the Aurora instance and ensure that it is deployed within the correct VPC and subnet. Verify that the VPC Security Group is configured to restrict access.
Ensure that the Aurora instance is not publicly accessible by verifying that the Publicly Accessible setting is disabled.
Check the VPC Peering connections (if any) to ensure that only authorized VPCs can access the Aurora instance.
Using AWS CLI:
Run the following command to verify the Security Group configuration for the Aurora instance:
aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, VpcSecurityGroups:VpcSecurityGroups}"Verify NACLs associated with the Aurora instance's subnet:
aws ec2 describe-network-acls --query "NetworkAcls[].{NetworkAclId:NetworkAclId, Associations:Associations}"Ensure the VPC Security Group associated with the Aurora instance restricts access:
aws ec2 describe-security-groups --group-ids <group-id> --query "SecurityGroups[].{GroupName:GroupName, GroupId:GroupId, IpPermissions:IpPermissions}"Verify that the Aurora instance is not publicly accessible:
aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, PubliclyAccessible:PubliclyAccessible}"Check for VPC Peering connections:
aws ec2 describe-vpc-peering-connections --query "VpcPeeringConnection[]"
Implementation Plan
Using AWS Console:
Navigate to VPC > Security Groups and configure security groups to restrict access to the Aurora instance. Allow access only from trusted sources, such as specific IP addresses or services within the VPC.
Review and configure Network ACLs (NACLs) to filter inbound and outbound traffic on the Aurora instance’s subnet, ensuring only necessary traffic is allowed.
Ensure the Aurora instance is deployed in the correct VPC and subnet, ensuring proper isolation and security.
Set the Publicly Accessible setting to No to prevent direct access to the Aurora instance from the internet.
Set up VPC Peering if necessary, and ensure that only authorized VPCs can communicate with the Aurora instance.
Using AWS CLI:
Modify the Security Group to restrict access:
aws ec2 authorize-security-group-ingress --region <region> --group-id <group-id> --protocol tcp --port <port> --cidr <allowed-ip-range>
Update Network ACLs (NACLs) to filter traffic:
aws ec2 create-network-acl-entry --network-acl-id <network-acl-id> --ingress --protocol tcp --port <port> --cidr-block <allowed-ip-range> --rule-action allow
Modify the Aurora instance to ensure it is deployed in the correct VPC:
aws rds modify-db-instance --db-instance-identifier <db-instance-id> --vpc-security-group-ids <security-group-id> --apply-immediately
Set the Publicly Accessible flag to No:
aws rds modify-db-instance --db-instance-identifier <db-instance-id> --publicly-accessible no --apply-immediately
Set up VPC Peering to allow communication between authorized VPCs:
aws ec2 create-vpc-peering-connection --vpc-id <vpc-id-1> --peer-vpc-id <vpc-id-2> --peer-region <peer-region>
Backout Plan
Using AWS Console:
In VPC > Security Groups, modify the security group to allow broader access if necessary, removing the restrictive rules.
Review and update NACLs to allow more traffic if required.
Ensure the Aurora instance is accessible from the public internet by enabling the Publicly Accessible setting if necessary.
Remove or adjust the VPC Peering connection if it needs to be reverted.
Using AWS CLI:
Modify the Security Group to allow broader access:
aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port <port> --cidr <new-ip-range>
Revert the NACLs configuration to allow more traffic:
aws ec2 delete-network-acl-entry --network-acl-id <network-acl-id> --rule-number <rule-number>
Make the Aurora instance publicly accessible:
aws rds modify-db-instance --db-instance-identifier <db-instance-id> --publicly-accessible yes --apply-immediately
Delete or modify the VPC Peering connection:
aws ec2 delete-vpc-peering-connection --vpc-peering-connection-id <peering-connection-id>
References: