RDS Instances Should Not Be Publicly Accessible
More Info:
RDS instances should not be launched into the public cloud. Unless there is a specific business requirement, RDS instances should not have a public endpoint and should be accessed from within a VPC only.Risk Level
HighAddress
SecurityCompliance Standards
NISTTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of RDS instances being publicly accessible in AWS, you can follow these steps using the AWS Management Console:
- Log in to the AWS Management Console: Go to https://aws.amazon.com/ and log in to your AWS account.
- Navigate to the RDS Dashboard: Click on the “Services” dropdown menu at the top of the page, select “RDS” under the Database section.
- Select the RDS Instance: From the list of RDS instances, select the instance that you want to modify the security group for by clicking on its identifier.
- Modify the Security Group: In the RDS instance details page, scroll down to the “Security group rules” section. Click on the security group name listed there.
- Edit Inbound Rules: In the security group’s “Inbound rules” tab, you will see the current rules allowing inbound traffic to the RDS instance. To make the RDS instance not publicly accessible, you need to remove the rule that allows inbound traffic from any source (0.0.0.0/0).
- Delete the Public Access Rule: Find the rule that allows inbound traffic from 0.0.0.0/0 (or any IP address range), select it, and click on the “Delete” or “Remove” button to remove this rule.
- Add Specific IP Addresses (Optional): If you still need to access the RDS instance from specific IP addresses or ranges, you can add new inbound rules to allow traffic only from those specific sources.
- Save Changes: After removing the public access rule and adding specific IP addresses if necessary, click on the “Save rules” or “Apply changes” button to apply the new security group rules.
Using CLI
Using CLI
To remediate the issue of RDS instances being publicly accessible in AWS using AWS CLI, follow these steps:
-
Identify the security group associated with the RDS instance:
Run the following AWS CLI command to get the details of the security group associated with the RDS instance:
Note down the Security Group ID associated with the RDS instance.
-
Update the inbound rules of the security group to restrict access:
Run the following AWS CLI command to revoke the ingress rule that allows public access to the RDS instance. Replace
<your-security-group-id>and<your-ip-cidr>with the actual values.This command will remove the ingress rule that allows access to port 3306 (MySQL) from the specified IP CIDR range. -
Verify the changes:
Run the following AWS CLI command to describe the inbound rules of the security group and confirm that the public access rule has been revoked:
Using Python
Using Python
To remediate the misconfiguration of RDS instances being publicly accessible in AWS using Python, you can follow these steps:
- Import the necessary libraries:
- Initialize the AWS client for RDS:
- Get a list of all RDS instances:
- Iterate through each RDS instance and check if it is publicly accessible. If it is, modify the security group to remove public access:
- Run the script to remediate the misconfiguration.