6.30 Ensure RDS Database is not publically accessible

Information

Amazon Relational Database Service (RDS) is a managed relational database service which handles routine database tasks such as provisioning, patching, backup, recovery, failure detection, and repair.

There are 6 database engines available for customer to run their database workloads on:

* Amazon Aurora (MySQL Compatible)
* MySQL
* MariaDB
* Oracle
* Microsoft SQL Server
* PostgreSQL

Customers can deploy RDS databases within a VPC through the configuration of:

* Subnet Group for RDS, this group will be used for deployment of single or Multi-AZ RDS instances.
* Network access through configuration of Security Groups for RDS
* Access from outside the VPC hosting the DB instance by enabling/disabling a Public IP address
Network access to the managed Data-Tier must be tightly controlled using Security Groups for RDS and non local accessibility of the DB instance.

Solution

Using the Amazon unified command line interface:

* Modify each publicly accessible DB instance, and make it private:

aws rds modify-db-instance --db-instance-identifier <your_db_instance> --no-publicly-accessible

See Also

https://workbench.cisecurity.org/files/260

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7

Plugin: amazon_aws

Control ID: 56d153b3ac04278966be48fdbd16a8715a41224daf5db1f8874d73a565a266b0