Profile Applicability:

  • Level 1

Description:

This control ensures that Amazon EC2 instances hosting MySQL databases do not allow unrestricted inbound access from the internet to TCP port 3306 (the default MySQL port). Exposing MySQL to the internet without restrictions increases the risk of unauthorized access, brute-force attacks, and data breaches. It is essential to restrict MySQL access to trusted IP addresses, VPN connections, or private networks to prevent unauthorized exploitation. 

Rationale:

MySQL databases often store sensitive data, including application data and user credentials. If port 3306 is exposed to the internet, attackers can attempt to guess credentials or exploit vulnerabilities in the database service. Restricting access to MySQL instances via Security Groups or Network ACLs ensures that only authorized users or applications within trusted networks can access the database. This helps prevent unauthorized access and aligns with best practices and compliance standards like CIS, SOC 2, ISO 27001, and NIST 800-53. 

Impact:

  • Positive Impact: Reduces exposure of MySQL databases to unauthorized access and potential attacks, improving database security.

  • Negative Impact: May restrict legitimate remote administrative access if access is not properly configured via a secure method like VPN or bastion host. 

Default Value:

By default, AWS does not create any inbound rules for EC2 instances, so MySQL access is restricted until explicitly allowed via Security Groups. 

Pre-Requisite:

  • IAM permissions required: ec2:DescribeSecurityGroups, ec2:RevokeSecurityGroupIngress, ec2:AuthorizeSecurityGroupIngress.
  • Identification of trusted IP ranges or private networks that require MySQL access.

Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to EC2 → Security Groups.
  3. For each Security Group, review the Inbound Rules tab.
  4. Look for any rules where:

    • Protocol: TCP

    • Port Range: 3306

    • Source: 0.0.0.0/0 or ::/0

  5. If such rules are found, the Security Group is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → Security Groups.
  2. Select the non-compliant Security Group.
  3. Click Edit inbound rules.
  4. Delete any rule allowing TCP access on port 3306 from 0.0.0.0/0 or ::/0.
  5. Add new inbound rules to restrict MySQL access:

    • Source: Trusted IP ranges (e.g., your corporate office CIDR block, 10.0.0.0/16) or internal application servers.

  6. Click Save rules to apply the changes.
  7. Test that MySQL is still accessible from authorized sources but is no longer exposed to the internet.

Backout Plan:

Using AWS Console:

  1. If legitimate MySQL access is disrupted, temporarily re-add access for trusted IP ranges while ensuring proper secure access methods like VPN or bastion hosts are implemented.
  2. Implement AWS Systems Manager Session Manager or a Bastion Host to securely manage MySQL access for administrators.

References: