Control: 2.2.3 Ensure that RDS instances are not publicly accessible
Description
Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.
Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. When the RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.
Remediation
From Console:
- Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.
- Under the navigation panel, On RDS Dashboard, click
Databases
. - Select the RDS instance that you want to update.
- Click
Modify
from the dashboard top menu. - On the Modify DB Instance panel, under the
Connectivity
section, click onAdditional connectivity configuration
and update the value forPublicly Accessible
toNot publicly accessible
to restrict public access. - Follow the below steps to update subnet configurations:
- Select the
Connectivity and security
tab, and click on the VPC attribute value inside theNetworking
section. - Select the
Details
tab from the VPC dashboard bottom panel and click on Route table configuration attribute value. - On the Route table details page, select the Routes tab from the dashboard bottom panel and click on
Edit routes
. - On the Edit routes page, update the Destination of Target which is set to
igw-xxxxx
and click onSave
routes.
- On the Modify DB Instance panel, click
Continue
, and in the Scheduling of modifications section, perform one of the following actions based on your requirements:
- Select
Apply during the next scheduled maintenance window
to apply the changes automatically during the next scheduled maintenance window. - Select
Apply immediately
to apply the changes right away. With this option, any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for the application.
- Repeat steps 3-7 for each RDS instance in the current region.
- Change the AWS region from the navigation bar to repeat the process for other regions.
From Command Line:
- Run the
describe-db-instances
command to list all available RDS database identifiers in the selected AWS region:
aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'
- The command output should return each database instance identifier.
- Run the
modify-db-instance
command to modify the configuration of a selected RDS instance, disabling thePublicly Accessible
flag for that instance. This command uses theapply-immediately
flag. If you want to avoid any downtime, the--no-apply-immediately
flag can be used:
aws rds modify-db-instance --region <region-name> --db-instance-identifier <db-name> --no-publicly-accessible --apply-immediately
- The command output should reveal the
PubliclyAccessible
configuration under pending values and should get applied at the specified time. - Updating the Internet Gateway destination via the AWS CLI is not currently supported. To update information about the Internet Gateway, please use the AWS Console procedure.
- Repeat steps 1-5 for each RDS instance provisioned in the current region.
- Change the AWS region by using the --region filter to repeat the process for other regions.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v400_2_2_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v400_2_2_3 --share
SQL
This control uses a named query:
rds_db_instance_prohibit_public_access