How to resolve Sprinto check for protecting AWS RDS from public access
About
Sprinto Check: AWS RDS database should be protected from direct internet traffic
Securing AWS RDS: Restricting Public Access
As a critical security best practice, Amazon RDS (Relational Database Service) instances should only be exposed internally within their Virtual Private Cloud (VPC) and restricted to instances that specifically need to communicate with the database. Avoiding a public endpoint for RDS instances, unless there is a clear business requirement, is crucial for minimizing potential security risks.
Procedure: Restricting Public Access to RDS Instances
Follow these steps to secure your AWS RDS instances by restricting public access:
Step 1: Log in to the AWS Account
Log in to your AWS account using your credentials.
Step 2: Navigate to RDS Instances
Navigate to the Databases section, select RDS, and choose the specific RDS instance that requires an update. Click on the Modify button.
Step 3: Modify DB Instance Connectivity
On the Modify DB Instance page, in the Connectivity section, under Additional Configuration, select Not publicly accessible to restrict public access.
Step 4: Confirm and Apply Changes
Click Continue, and at the bottom of the next page, check Apply Immediately.
Step 5: Apply Configuration Changes
Click Modify DB Instance. Once the configuration changes are applied, the instance will be updated.
Step 6: Review Instance Details
Click on the instance name, and the summary will open with all the details.
Step 7: Edit VPC Security Groups
Under the Connectivity & Security section in the bottom panel, click on the active VPC security groups name to select it for editing.
Step 8: Edit Inbound Rules
On the VPC Security Groups page, select the Inbound Rules tab from the bottom panel and click the Edit Inbound Rules button to edit the selected security group's ingress rules.
Step 9: Update Inbound Rules
In the Edit Inbound Rules dialog box, identify any inbound rules with the Source set to Anywhere (0.0.0.0/0) and update them using one of the following actions:
To grant access to a certain IP address:
Select Custom IP from the Source dropdown list.
Enter the IP address CIDR that you want to authorize in the Source field.
Click the Save button to save the changes.
To grant access to an EC2 Security Group:
Select Custom IP from the Source dropdown list.
Enter the EC2 security group ID that you want to authorize in the Source field.
Click the Save button to save the changes.
AWS CLI Remediation
If you prefer using AWS CLI for remediation, follow these steps:
1. To list all RDS database names in a particular region:
bashCopy code
aws rds describe-db-instances --region <region>
Generic
2. To modify the selected RDS instance connection configuration:
bashCopy code
aws rds modify-db-instance --region <region> --db-instance-identifier <name of db> --no-publicly-accessible --apply-immediately
Generic
3. To fetch the VPC security group ID associated with the instance:
bashCopy code
aws rds describe-db-instances --region <region> --db-instance-identifier <name of db> --query 'DBInstances[*].VpcSecurityGroups'
Generic4. To revoke the VPC security group inbound rule with the CIDR set to 0.0.0.0/0:
bashCopy code
aws ec2 revoke-security-group-ingress --region <region> --group-id <value> --protocol <value> --port <value> --cidr 0.0.0.0/0
Generic
5. To authorize custom access based on IP/CIDR:
bashCopy code
aws ec2 authorize-security-group-ingress --region <value> --group-id <value> --protocol <value> --port <value> --cidr <value>
Generic
6. To authorize custom access based on existing EC2 security groups:
bashCopy code
aws ec2 authorize-security-group-ingress --region <value> --group-id <value> --protocol <value> --port 3<value> --source-group <value>
Generic
If you encounter any difficulties during this process, reach out to the Support Team or contact your dedicated Customer Success Manager for assistance.
Last updated