🛡️ AWS RDS Aurora Cluster access is not consistent🟢

• Contextual name: 🛡️ Aurora Cluster access is not consistent🟢
• ID: /ce/ca/aws/rds/aurora-cluster-access-consistency
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY, SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS RDS Cluster
  • 🔌 AWS RDS Instance - object.extracts.yaml
  • 🔌 AWS RDS Cluster - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Trusted Advisor: Amazon Aurora DB Instance Accessibility (xuy7H1avtl)
• Cloud Conformity: Aurora Database Instance Accessibility

Description

Open File

Description

Ensure that all database instances within your Amazon Aurora clusters have consistent accessibility settings, either all public or all private, in alignment with AWS fault-tolerance best practices. This practice ensures seamless connectivity and optimal failover performance for your Aurora clusters.

Rationale

It is highly recommended to keep all database instances within an Aurora cluster either publicly accessible or privately accessible. During failover, an instance can switch roles, and inconsistent accessibility settings can obstruct connectivity to the database cluster.

In the event of a failover, the accessibility setting (public or private) of the instance should remain consistent to avoid connectivity issues. A discrepancy in accessibility settings can lead to a situation where an instance switches from being publicly accessible to privately accessible, disrupting access to the database cluster.

Consistency in accessibility settings helps maintain a secure network environment and ensures compliance with organizational policies and regulatory requirements. Publicly accessible instances expose databases to the internet, which might be necessary for some applications but could pose security risks if not managed properly.

... see more

Remediation

Open File

Remediation

Identify the Violating AWS RDS Aurora Clusters

From Console

1. Log in to the AWS Management Console and navigate to the RDS dashboard at AWS RDS Console.

2. In the left navigation panel, choose Databases.

3. Select the Aurora database cluster that you want to examine. Check the database engine type in the Engine column (e.g., Aurora MySQL or Aurora PostgreSQL).

4. Click on the name of the writer/reader database instance within the selected Aurora cluster.

5. Select the Connectivity & Security tab and check the Public Accessibility attribute value to determine if the writer instance is publicly accessible:

   • Yes: The database instance is publicly accessible.
   • No: The instance is not publicly accessible.

6. If the verified cluster database instances have different values for the Public Accessibility attribute, the instances within the selected Amazon Aurora database cluster do not have the same accessibility. In a failover, connectivity to the cluster can be lost.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 Cloudaware Framework → 💼 Network Exposure			132		no data
💼 Cloudaware Framework → 💼 System Configuration			56		no data