In this blog post, we will take a look at the top 15 AWS RDS misconfigurations that you should avoid. Before getting started, let us brush up our knowledge on what AWS RDS is!
We will be covering the below topics:
- What is AWS RDS?
- The 15 Common AWS RDS Misconfigurations
- How Can Cloudanix Help?
What Is AWS RDS?
Amazon Relational Database Service (Amazon RDS) is a web service that helps in setting up, operating, and scaling a relational database in the cloud. AWS RDS provides cost-efficient, resizable capacity for an industry-standard relational database and manages everyday database administration tasks. To protect you from any attacks and information leaks, Amazon RDS provides you with specific configurations that enable your cloud and data backup, software patching, automatic failure detection, and recovery. However, as a CISO or cloud security associate, you need to ensure that your account is configured with the best practices of AWS RDS to achieve the CIA triad(confidentiality, integrity, and availability of data) of security.
The 15 Common AWS RDS Misconfigurations
Let us take a look at the top 15 AWS RDS misconfigurations you should avoid in 2021.
To avoid any AWS RDS misconfiguration, ensure that your AWS Relational Database Service (RDS) database snapshots are not publicly accessible. By having a public snapshot, you give another AWS account permission to copy your snapshots and create database instances from it. This leads to exposing your private data. Having a public snapshot and the threats arising from them also violate compliance standards like the GDPR, NIST, PCI DSS, ARPA, and MAS.
Not enabling automated backups is a misconfiguration and affects the availability of your system/product. You should enable automated backups of your RDS database instances to ensure point-in-time recovery. This helps you to have an efficient data restoration process. Furthermore, compliance standards like NIST and ARPA require you to follow this step.
RDS database instances should be encrypted to fulfill compliance requirements for data-at-rest encryption. This is even more important in production databases that store sensitive information. This is a critical configuration that often goes over-looked and results in data leaks, which can be your worst nightmare. Furthermore, the GDPR, HIPAA, PCI DSS, APRA, MAS, and NIST require encryption of data and charge hefty fines in the event of a violation.
You should always free up storage space. Low space on disk drives can cause misconfigurations. You can also scale up RDS instances that run on low disk space. This will avoid any problems arising from insufficient disk space, thereby affecting your product’s availability. Implement this configuration to achieve better performance efficiency.
Publicly Accessible RDS Instance
Another big red flag is a publicly accessible RDS instance. When your RDS instance is public, it offers unrestricted access for anyone and everyone to establish a connection to your database. Having this misconfiguration is an open invitation to brute-force attacks, DDoS attacks, and SQL injections. Furthermore, you will pay heavy fines as this security arrangement would violate the GDPR, HIPAA, APRA, PCI DSS, MAS, and NIST compliance standards.
Transport Encryption Feature Disabled
To avoid this misconfiguration, ensure that Microsoft SQL Server and PostgreSQL instances provisioned with AWS RDS have the Transport Encryption feature enabled. This is even more important while storing, process and transporting Protected Health Information (PHI) since HIPAA compliance explicitly makes it mandatory to have this configuration.
Idle RDS Instances
Another Misconfiguration can be avoided by identifying any Amazon RDS database instances that appear to be idle and delete them to help lower the cost of your monthly AWS bill. This will help in cost optimization.
Overutilized RDS Instances
Identify any Amazon RDS database instances that appear to be overutilized and upgrade (upsize) them to better handle the database workload and improve the response time. If you do not upgrade the RDS database, it can decrease the quality of work and response time, thereby affecting your data integrity and availability.
Use Customer-Managed Keys instead of AWS-Managed Keys
Ensure that your RDS database instances use KMS CMK customer-managed keys rather than AWS-managed keys to have more granular control over your data-at-rest encryption/decryption process. Doing this is one step towards achieving GDPR, APRA, MAS, and NIST compliance.
RDS Instances Provisioned in VPC Public Subnets
To avoid this misconfiguration, ensure that no AWS RDS database instances are provisioned inside VPC public subnets to protect them from direct exposure to the Internet. Instead, provision them in private subnets to prevent inbound traffic from the public internet. This will also ensure the security of the AWS RDS database.
Not Renewing RDS Reserved Instances before the expiration
Ensure that your AWS RDS Reserved Instances (RIs) are renewed before expiration to get the appropriate discount on these instances’ hourly charges.
Failed RDS Reserved Instances
Identify any failed RDS Reserved Instances (RIs) available within your AWS account. A failed RDS RI is an unsuccessful reservation that received the “payment-failed” status during the purchase process.
Pending RDS Reserved Instances Purchases
Building on the previous misconfiguration, another misconfiguration is not keeping track of your pending RDS RI purchases. Identify any pending RDS Reserved Instance (RI) purchases available within your AWS account. A payment-pending RDS RI purchase is a reservation purchase that cannot be fully processed due to the payment method’s issues.
Underutilized RDS Instances
Another misconfiguration is not resizing underutilized AWS RDS instances. Identify any Amazon RDS database instances that appear to be underutilized and downsize (resize) them to help lower the cost of your monthly AWS bill.
RDS Reserved Instances not having corresponding DB Instances
Ensure that all your AWS RDS Reserved Instances (RI) have corresponding database instances running within the same account or within any AWS accounts members of an AWS Organization.
How Can Cloudanix Help?
RDS Misconfigurations issues are not new. It is the largest issue faced by organizations for years. It is essential to understand what they are and why acting on them immediately is necessary. Cloudanix provides you with a recipe for best practices for RDS that helps audits your AWS account for these misconfigurations and more! We also help you remediate these misconfigurations in an automated way! What’s more? You can sign up for a free trial here today!