AWS RDS Database is not publicaly exposed

Description:

Having an AWS RDS (Relational Database Service) cluster exposed to the public introduces substantial security risks. Public accessibility can lead to unauthorized access, data leaks, and exploitation threats. It's essential to limit RDS cluster exposure to trusted IP addresses or internal AWS resources to maintain data security and adhere to best practices.

Remediation:

1. Restricting Public Access for New AWS RDS Clusters:

AWS Management Console:

Go to the RDS dashboard.
Select "Create database".
In the creation wizard, locate the "Public Accessibility" option.
Set "Public Accessibility" to "No" to ensure the RDS cluster isn't publicly accessible.
Continue with the other database settings and click "Create".

AWS CLI:

aws rds create-db-cluster --db-cluster-identifier YourClusterName --engine aurora --master-username yourmasteruser --master-user-password yourpassword --publicly-accessible false

Terraform:

In your Terraform configuration, define the RDS cluster resource.
Ensure the publicly_accessible attribute is set to false.

resource "aws_rds_cluster" "example" {
  cluster_identifier      = "example-cluster"
  engine                  = "aurora-mysql"
  master_username         = "root"
  master_password         = "password"
  publicly_accessible     = false
  ...
}

2. Modify Existing AWS RDS Clusters to Restrict Public Access:

AWS Management Console:

Navigate to the RDS dashboard.
Select the RDS cluster to modify.
Click "Modify".
In "Network & Security", set "Public Accessibility" to "No".
Click "Continue", then "Modify DB Cluster".

AWS CLI:

aws rds modify-db-cluster --db-cluster-identifier YourClusterName --no-publicly-accessible

Terraform:

Update the publicly_accessible attribute to false in your existing Terraform RDS cluster resource and apply the changes.

resource "aws_rds_cluster" "example" {
  cluster_identifier      = "example-cluster"
  publicly_accessible     = false
  ...
}

3. Secure Access with Security Groups and Network ACLs:

Update security groups linked to the RDS cluster to allow only trusted IPs or internal AWS resources.
Implement Network Access Control Lists (ACLs) for an extra security layer.

4. Monitor and Audit:

AWS Management Console:

Utilize AWS Config to track RDS cluster configurations regarding public accessibility.
Regularly review security group rules and network ACLs tied to RDS clusters.

AWS CLI:

Routinely execute CLI commands to check RDS configurations and security group rules.

5. Document and Train:

Revise internal security policies to cover RDS cluster configuration standards.
Educate technical teams on securing RDS clusters and the importance of restricting public access.

Implementing these steps will significantly boost the security of your AWS RDS clusters, safeguarding them from unauthorized access and potential security hazards.

Updated 5 months ago