Detections
Analytics

Ensure public access is disabled for Amazon Relational Database Service (Amazon RDS) instances

HIGH

Description

Amazon RDS Instances can be created independent of clusters, yet they can still maintain numerous databases despite being isolated. Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice.

Remediation

In AWS Console -

  1. Sign in to the AWS Console and go to the AWS RDS Console.
  2. In the RDS Dashboard, click on instances.
  3. Select the RDS instance that you want to examine and click Instance Actions button from the dashboard top menu and select See Details.
  4. Make sure Publicly Accessible flag status is not set to 'Yes' and the security group associated with the instance does not allow access to everyone, i.e. '0.0.0.0/0:'.

In Terraform -

  1. In the aws_db_instance resource, set publicly_accessible to false.

References:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/infrastructure-security.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible

Policy Details

Rule Reference ID: AC_AWS_0054
CSP: AWS
Remediation Available: Yes
Domain: Infrastructure Security
Resource: aws_db_instance
Resource Category: Database
Resource Type: DB Instance

Frameworks