📝 AWS RDS Aurora Cluster access is not consistent 🟢

• Contextual name: 📝 Aurora Cluster access is not consistent 🟢
• ID: /ce/ca/aws/rds/aurora-cluster-access-consistency
• Located in: 📁 AWS RDS

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • RELIABILITY
  • SECURITY

Similar Policies

• AWS Trusted Advisor
  • [xuy7H1avtl](Amazon Aurora DB Instance Accessibility (https://docs.aws.amazon.com/awssupport/latest/user/fault-tolerance-checks.html#amazon-aurora-db-instance-accessibility)]
• Cloud Conformity
  • Aurora Database Instance Accessibility

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 AWS RDS Cluster
  • 🔌 AWS RDS Cluster - object.extracts.yaml
  • 🔌 AWS RDS Instance - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Ensure that all database instances within your Amazon Aurora clusters have consistent accessibility settings, either all public or all private, in alignment with the Fault-Tolerance AWS best practices. This practice ensures seamless connectivity and optimal failover performance for your Aurora clusters.

Rational

It is highly recommended to have all the database instances running within an Aurora cluster as either publicly or privately accessible because in case of a failover, an instance might go from publicly accessible to privately accessible and obstruct the connectivity to the database cluster.

In the event of a failover, the accessibility setting (public or private) of the instance should remain consistent to avoid connectivity issues. A discrepancy in accessibility settings can lead to a situation where an instance switches from being publicly accessible to privately accessible, disrupting access to the database cluster.

Consistency in accessibility settings helps maintain a secure network environment and ensures compliance with organizational policies and regulatory requirements. Publicly accessible instances expose databases to the internet, which might be necessary for some applications but could pose security risks if not managed properly.

... see more

Remediation

Open File

Remediation

Identify the Violating AWS RDS Aurora Clusters

From Console

1. Log in to the AWS management console and navigate to the RDS dashboard at AWS RDS Console.

2. In the left navigation panel, choose Databases.

3. Select the Aurora database cluster that you want to examine. Check the database engine type in the Engine column (e.g., Aurora MySQL or Aurora PostgreSQL).

4. Click on the name of the writer/reader database instance within the selected Aurora cluster.

5. Select the Connectivity & Security tab and check the Public Accessibility attribute value to determine if the writer instance is publicly accessible:

   • Yes: The database instance is publicly accessible.
   • No: The instance is not publicly accessible.

6. If the verified cluster database instances have different values for the Public Accessibility attribute, the instances within the selected Amazon Aurora database cluster do not have the same accessibility. In case of failover, the connectivity to the cluster will be lost.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 Cloudaware Framework → 💼 Secure Access			43
💼 Cloudaware Framework → 💼 System Configuration			24