Skip to main content

Remediation

Using AWS CloudFormationโ€‹

  • CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Disable public accessibility on an existing RDS instance

Parameters:
  DBInstanceIdentifier:
    Type: String
    Description: Identifier of the existing RDS DB instance

Resources:
  SecureRdsInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier: !Ref DBInstanceIdentifier
      PubliclyAccessible: false

From Command Lineโ€‹

  1. Run describe-db-instances command to list all RDS database names identifiers, available in the selected AWS region:
aws rds describe-db-instances --region <region-name> --query 'DBInstances[*].DBInstanceIdentifier'
  1. The command output should return each database instance identifier.
  2. Run modify-db-instance command to modify the selected RDS instance configuration. Then use the following command to disable the Publicly Accessible flag for the selected RDS instances. This command use the apply-immediately flag. If you want to avoid any downtime --no-apply-immediately flag can be used:
aws rds modify-db-instance --region <region-name> --db-instance-identifier <db-name> --no-publicly-accessible --apply-immediately
  1. The command output should reveal the PubliclyAccessible configuration under pending values and should get applied at the specified time.
  2. Updating the Internet Gateway Destination via AWS CLI is not currently supported To update information about Internet Gateway use the AWS Console Procedure.
  3. Repeat steps 1 to 5 for each RDS instance provisioned in the current region.
  4. Change the AWS region by using the --region filter to repeat the process for other regions.

From Consoleโ€‹

  1. Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.
  2. Under the navigation panel, On RDS Dashboard, click Databases.
  3. Select the RDS instance that you want to update.
  4. Click Modify from the dashboard top menu.
  5. On the Modify DB Instance panel, under the Connectivity section, click on Additional connectivity configuration and update the value for Publicly Accessible to Not publicly accessible to restrict public access.
  6. Follow the below steps to update subnet configurations:
  • Select the Connectivity and security tab, and click on the VPC attribute value inside the Networking section.
  • Select the Details tab from the VPC dashboard bottom panel and click on Route table configuration attribute value.
  • On the Route table details page, select the Routes tab from the dashboard bottom panel and click on Edit routes.
  • On the Edit routes page, update the Destination of Target which is set to igw-xxxxx and click on Save routes.
  1. On the Modify DB Instance panel Click on Continue and In the Scheduling of modifications section, perform one of the following actions based on your requirements:
  • Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
  • Select Apply immediately to apply the changes right away. With this option, any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for the application.
  1. Repeat steps 3 to 7 for each RDS instance available in the current region.
  2. Change the AWS region from the navigation bar to repeat the process for other regions.