Profile Applicability:
Level 2
Description:
Many cloud-based database services provide a "public mode" or "public access" option that allows the database to be reachable from any IP address on the internet. While convenient, enabling public access exposes the database to unauthorized users, increasing the risk of data breaches, data tampering, and other security incidents. Disabling public mode restricts access to trusted IP addresses or internal networks, thereby significantly reducing exposure and improving security posture.
Rationale:
Allowing unrestricted public access to databases exposes critical infrastructure to the internet, increasing the likelihood of attacks. By disabling public mode and limiting access through network controls (firewalls, security groups, VPCs), organizations reduce their attack surface, better protect sensitive data, and ensure compliance with security frameworks and regulations such as GDPR, HIPAA, and SOC 2.
Impact:
Pros:
Limits database access to trusted IPs and private networks only
Reduces risk of unauthorized access and data breaches
Aligns with compliance and regulatory requirements
Enhances overall organizational security posture
Cons:
Requires proper configuration of network access controls
Risk of disrupting legitimate connectivity if IPs or services are not correctly whitelisted
Default Value:
Most managed database services allow public access by default unless restricted by configuration or network rules. Public access should be disabled explicitly during or after deployment to avoid accidental exposure.
Pre-requisites:
Appropriate cloud IAM permissions to view and modify database instance settings (e.g., AWS
rds:DescribeDBInstances,rds:ModifyDBInstance)Access to network configuration components such as security groups, firewall rules, or VPC settings
Knowledge of legitimate IP addresses or networks that require access
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to RDS and select Databases from the left menu.
Select the database instance to inspect.
Under Connectivity & Security, check the Publicly Accessible setting.
Confirm if it is set to No (disabled). If set to Yes, public mode is enabled and must be disabled.
Using AWS CLI:
List all RDS database instances:
aws rds describe-db-instances --query "DBInstances[*].DBInstanceIdentifier"
For each instance, check the public accessibility:
aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --query "DBInstances[0].PubliclyAccessible"
Confirm that this returns
false(public mode disabled).
Implementation Plan:
Using AWS Console:
Open the RDS Console and navigate to Databases.
Select the target database instance.
In Connectivity & Security, set Publicly Accessible to No.
Save the changes.
Monitor for connectivity and functionality impacts.
Using AWS CLI:
Run the modify command to disable public access:
aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --publicly-accessible false
Verify the update:
aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --query "DBInstances[0].PubliclyAccessible"
Backout Plan:
Using AWS Console:
Sign in to AWS Management Console.
Navigate to RDS and select the affected database instance.
In Connectivity & Security, set Publicly Accessible back to Yes if connectivity issues arise.
Save the changes and verify connectivity.
Using AWS CLI:
Re-enable public access by running:
aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --publicly-accessible true
Confirm the change:
aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_IDENTIFIER> --query "DBInstances[0].PubliclyAccessible"
Troubleshoot any connectivity or access issues resulting from the rollback.
References:
CIS Controls Mapping:
Version | Control ID | Control Description |
|---|---|---|
7.1 | 4.1 | Ensure databases are not publicly accessible unless absolutely necessary. |
7.1 | 8.1 | Disable public access to databases to prevent unauthorized access. |