Detections
Analytics

Ensure Amazon Relational Database Service (Amazon RDS) instances are not open to a public scope

HIGH

Description

Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice.

Remediation

In AWS Console -

  1. Sign in to the AWS Console and go to the AWS RDS Console.
  2. In the RDS Dashboard, click on instances.
  3. Select the RDS instance that you want to examine and click Instance Actions button from the dashboard top menu and select See Details.
  4. Make sure the security group associated with the instance does not allow access to everyone, i.e. '0.0.0.0/0:'.

In Terraform -

  1. In the aws_db_security_group resource, set appropriate rules for the ingress object.

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_security_group

Policy Details

Rule Reference ID: AC_AWS_0067
CSP: AWS
Remediation Available: Yes
Domain: Infrastructure Security
Resource: aws_db_security_group
Resource Category: Database
Resource Type: Security Group

Frameworks