Skip to main content

πŸ“ AWS RDS Instance is publicly accessible and in an unrestricted public subnet 🟒

  • Contextual name: πŸ“ Instance is publicly accessible and in an unrestricted public subnet 🟒
  • ID: /ce/ca/aws/rds/instance-publicly-accessible-in-public-subnet
  • Located in: πŸ“ AWS RDS

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-f937c35f1

Logic​

Description​

Open File

Description​

Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.

Rationale​

Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. When the RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.

Audit​

From Console​
  1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.
  2. Under the navigation panel, On RDS Dashboard, click Databases.
  3. Select the RDS instance that you want to examine.

... see more

Remediation​

Open File

Remediation​

Using AWS CloudFormation​

  • CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Disable public accessibility on an existing RDS instance

Parameters:
  DBInstanceIdentifier:
    Type: String
    Description: Identifier of the existing RDS DB instance

Resources:
  SecureRdsInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier: !Ref DBInstanceIdentifier
      PubliclyAccessible: false

From Command Line​

  1. Run describe-db-instances command to list all RDS database names identifiers, available in the selected AWS region:
aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'
  1. The command output should return each database instance identifier.
  2. Run modify-db-instance command to modify the selected RDS instance configuration. Then use the following command to disable the Publicly Accessible flag for the selected RDS instances. This command use the apply-immediately flag. If you want to avoid any downtime --no-apply-immediately flag can be used:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36d access management controls β€”only authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance);1414
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36e hardware and software asset controls β€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1616
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36f network design β€” to ensure authorised network traffic flows and to reduce the impact of security compromises;2930
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3537
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52d appropriate segmentation of data, based on sensitivity and access needs;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 53 Wholesale access to sensitive data (e.g. contents of customer databases or intellectual property that can be exploited for personal gain) would be highly restricted to reduce the risk exposure to significant data leakage events. Industry experience of actual data leakage incidents include the unauthorised extraction of debit/credit card details, theft of personally identifiable information, loss of unencrypted backup media and the sale/trade or exploitation of customer identity data.1010
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration11
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 2.3.3 Ensure that public access is not given to RDS Instance - Level 1 (Automated)11
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 2.3.3 Ensure that public access is not given to RDS Instance - Level 1 (Automated)11
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 2.3.3 Ensure that public access is not given to RDS Instance - Level 1 (Automated)11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 2.2.3 Ensure that RDS instances are not publicly accessible (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 2.2.3 Ensure that RDS instances are not publicly accessible (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 2.2.3 Ensure that RDS instances are not publicly accessible (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access77
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3764
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)23675
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1142
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)10845
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)25
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)18
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(21) Isolation of System Components (H)19
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)64
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)30
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)64
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)160
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)42
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)739
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)25
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)18
πŸ’Ό GDPR β†’ πŸ’Ό Art. 25 Data protection by design and by default1010
πŸ’Ό GDPR β†’ πŸ’Ό Art. 46 Transfers subject to appropriate safeguards22
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.4.1 Information access restriction1920
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.10 Acceptable use of information and other associated assets1126
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1430
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.3 Information access restriction1023
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.4 Access to source code821
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1752
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4766
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events115
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained45
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties88
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected114
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected94
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage66
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement326885
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information910
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3742
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7 Boundary Protection29447
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(4) Boundary Protection _ External Telecommunications Services25
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(5) Boundary Protection _ Deny by Default β€” Allow by Exception418
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic19
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(16) Boundary Protection _ Prevent Discovery of System Components20
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(21) Boundary Protection _ Isolation of System Components19
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1 Establish and implement firewall and router configuration standards7138
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1035
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.7825
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.619
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.19
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.6
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.5 Permit only β€œestablished” connections into the network.19
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.6 Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.5
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 7.2.1 Coverage of all system components.7
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.34
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.35
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.35
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.4.1 NSCs are implemented between trusted and untrusted networks.17
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.19
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.5
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.7
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.2434
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.735
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.35
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.4.1 NSCs are implemented between trusted and untrusted networks.717
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.719
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.5
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.7
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-6 Manages Points of Access57
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.6-1 Restricts Access1619
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3638