RDS database instance should be inaccessible over the public internet

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.

Rationale

Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. When the RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.

Remediation

From the console

  1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.
  2. Under the navigation panel, On RDS Dashboard, click Databases.
  3. Select the RDS instance that you want to update.
  4. Click Modify from the dashboard top menu.
  5. On the Modify DB Instance panel, under the Connectivity section, click on Additional configuration and update the value for Public Access to Not publicly accessible to restrict public access. Follow the below steps to update subnet configurations:
  • Select the Connectivity and security tab, and click on the VPC attribute value inside the Networking section.
  • Select the Details tab from the VPC dashboard bottom panel and click on Route table configuration attribute value.
  • On the Route table details page, select the Routes tab from the dashboard bottom panel and click Edit routes.
  • On the Edit routes page, update the Destination of Target which is set to igwxxxxx and click Save routes.
  1. In the Modify DB Instance panel, click Continue and in the Scheduling of Modifications section, perform one of the following actions based on your requirements:
  • Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
  • Select Apply immediately to apply the changes right away. With this option, any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this RDS database instance.

Note: Any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for the application.

  1. Repeat steps 3 to 6 for each RDS instance available in the current region.
  2. Change the AWS region from the navigation bar to repeat the process for other regions.

From the command line

  1. Run describe-db-instances command to list all RDS database names identifiers, available in the selected AWS region:

    aws rds describe-db-instances --region <region-name> \
     --query 'DBInstances[*].DBInstanceIdentifier'
    
  2. The command output should return each database instance identifier.

  3. Run modify-db-instance command to modify the selected RDS instance configuration. Then use the following command to disable the Publicly Accessible flag for the selected RDS instances. This command use the applyimmediately flag. If you want to avoid any downtime --no-apply-immediately flag can be used:

    aws rds modify-db-instance --region <region-name> \
    --db-instance-identifier <db-name> \
    --no-publicly-accessible \
    --apply-immediately
    
  4. The command output should reveal the Publicly Accessible configuration under pending values and should get applied at the specified time.

  5. Update the Internet Gateway Destination from the AWS Console. Updating the Internet Gateway Destination from the CLI is not supported.

  6. Repeat steps 1 to 5 for each RDS instance provisioned in the current region.

  7. Change the AWS region by using the –region filter to repeat the process for other regions.

References

  1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html
  2. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
  3. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html
  4. https://aws.amazon.com/rds/faqs/
PREVIEWING: antoine.dussault/service-representation-ga-docs-us1