Profile Applicability:

  • Level 1

Description:

This control ensures that Amazon EC2 instances hosting PostgreSQL databases do not allow unrestricted inbound access from the internet to TCP port 5432, the default PostgreSQL port. Exposing PostgreSQL to the internet without proper restrictions increases the risk of unauthorized access, brute-force attacks, and data breaches. Restricting this port ensures that only trusted IP addresses, networks, or secure methods (such as VPN or bastion hosts) can access the database. 

Rationale:

PostgreSQL often contains sensitive data and is a target for attackers attempting to exploit weak passwords, misconfigurations, or vulnerabilities. Exposing port 5432 to the internet without restrictions can lead to unauthorized access or data exfiltration. Restricting access to trusted IPs or internal networks ensures that only authorized users or services can connect to PostgreSQL instances, reducing the risk of exploitation. This practice aligns with the principle of least privilege and helps meet security and compliance requirements like CIS, SOC 2, ISO 27001, and NIST 800-53.

Impact:

  • Positive Impact: Enhances database security by preventing unauthorized external access to PostgreSQL, reducing the attack surface.

  • Negative Impact: Administrators or users outside of trusted networks will need to access PostgreSQL through secure methods, such as a VPN or bastion host. 

Default Value:

By default, AWS Security Groups deny all inbound traffic unless explicitly allowed, so PostgreSQL access is restricted until configured otherwise. 

Pre-Requisite:

  • IAM permissions required: ec2:DescribeSecurityGroups, ec2:RevokeSecurityGroupIngress, ec2:AuthorizeSecurityGroupIngress.
  • A list of trusted IP ranges or networks that need PostgreSQL access.

Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 → Security Groups.

  3. Review the Inbound Rules tab for each Security Group.

  4. Look for any rules where:

    • Protocol: TCP

    • Port Range: 5432

    • Source: 0.0.0.0/0 or ::/0

  5. If such a rule exists, the Security Group is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → Security Groups.

  2. Select the non-compliant Security Group.

  3. Click Edit inbound rules.

  4. Identify and delete any rule that allows TCP access on port 5432 from 0.0.0.0/0 or ::/0.

  5. Add a more restrictive inbound rule to allow access only from trusted IP ranges or networks, such as:

    • Source: Internal CIDR block (e.g., 10.0.0.0/16) or specific trusted admin IPs (e.g., 203.0.113.25/32).

  6. Click Save rules to apply changes.

  7. Test that PostgreSQL remains accessible from the authorized sources and is not exposed to the public internet.

Backout Plan:

Using AWS Console:

  1. If PostgreSQL access is disrupted for legitimate users, temporarily re-add access for specific known IPs while investigating the issue.
  2. Implement a VPN or Bastion Host to securely manage PostgreSQL access for administrators outside of the allowed IP ranges.

References: