How to resolve Sprinto check for protecting AWS RDS from public access

About

Sprinto Check: AWS RDS database should be protected from direct internet traffic

Securing AWS RDS: Restricting Public Access

As a critical security best practice, Amazon RDS (Relational Database Service) instances should only be exposed internally within their Virtual Private Cloud (VPC) and restricted to instances that specifically need to communicate with the database. Avoiding a public endpoint for RDS instances, unless there is a clear business requirement, is crucial for minimizing potential security risks.

Procedure: Restricting Public Access to RDS Instances

Follow these steps to secure your AWS RDS instances by restricting public access:

Step 1: Log in to the AWS Account

Log in to your AWS account using your credentials.

Step 2: Navigate to RDS Instances

Navigate to the Databases section, select RDS, and choose the specific RDS instance that requires an update. Click on the Modify button.

Step 3: Modify DB Instance Connectivity

On the Modify DB Instance page, in the Connectivity section, under Additional Configuration, select Not publicly accessible to restrict public access.

Step 4: Confirm and Apply Changes

Click Continue, and at the bottom of the next page, check Apply Immediately.

Step 5: Apply Configuration Changes

Click Modify DB Instance. Once the configuration changes are applied, the instance will be updated.

Step 6: Review Instance Details

Click on the instance name, and the summary will open with all the details.

Step 7: Edit VPC Security Groups

Under the Connectivity & Security section in the bottom panel, click on the active VPC security groups name to select it for editing.

Step 8: Edit Inbound Rules

On the VPC Security Groups page, select the Inbound Rules tab from the bottom panel and click the Edit Inbound Rules button to edit the selected security group's ingress rules.

Step 9: Update Inbound Rules

In the Edit Inbound Rules dialog box, identify any inbound rules with the Source set to Anywhere (0.0.0.0/0) and update them using one of the following actions:

• To grant access to a certain IP address:

  • Select Custom IP from the Source dropdown list.

  • Enter the IP address CIDR that you want to authorize in the Source field.

  • Click the Save button to save the changes.

• To grant access to an EC2 Security Group:

  • Select Custom IP from the Source dropdown list.

  • Enter the EC2 security group ID that you want to authorize in the Source field.

  • Click the Save button to save the changes.

AWS CLI Remediation

If you prefer using AWS CLI for remediation, follow these steps:

1. To list all RDS database names in a particular region:

Generic

2. To modify the selected RDS instance connection configuration:

Generic

3. To fetch the VPC security group ID associated with the instance:

Generic4. To revoke the VPC security group inbound rule with the CIDR set to 0.0.0.0/0:

Generic

5. To authorize custom access based on IP/CIDR:

Generic

6. To authorize custom access based on existing EC2 security groups:

Generic

If you encounter any difficulties during this process, reach out to the Support Team or contact your dedicated Customer Success Manager for assistance.