<  Back to rules search

RDS instance is not publicly accessible

rds
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Secure your RDS instance, so it is not publicly accessible.

Rationale

Unrestricted access to your RDS instance allows everyone on the internet to establish a connection with your database. This can lead to brute-force, DoS/DDoS, or SQL injection attacks.

Remediation

From the command line

  1. Run the modify-db-instance command to make the instance not publicly accessible.

    aws rds modify-db-instance
        --region INSERT_DB_INSTANCE_REGION \
        --db-instance-identifier INSERT_DB_INSTANCE_NAME \
        --no-publicly-accessible \
        --apply-immediately
    
  2. Run the revoke-security-group-ingress command to block any IPv4 address connecting to port 3306.

    aws ec2 revoke-security-group-ingress
        --region INSERT_DB_INSTANCE_REGION \
        --group-id INSERT_SECURITY_GROUP_ID \
        --protocol tcp \
        --port 3306 \
        --cidr 0.0.0.0/0 
    
  3. For IPv6 you can use the same command from step 2 but use the --ip-permissions option instead. Reference this aws-cli documentation for more information.

  4. After removing the 0.0.0.0/0 or ::/0 cidr ranges from ingress you need to add in better cidr ranges using the authorize-security-group-ingress command.

    aws ec2 authorize-security-group-ingress
    	   --region INSERT_DB_INSTANCE_REGION
        --group-id INSERT_SECURITY_GROUP_ID
        --protocol tcp
        --port 3306
        --cidr INSERT_SMALLER_CIDR_RANGE