<  Back to rules search

RDS instance is not publicly accessible

rds
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Secure your RDS instance, so it is not publicly accessible.

Rationale

Unrestricted access to your RDS instance allows everyone on the internet to establish a connection with your database. This can lead to brute-force, DoS/DDoS, or SQL injection attacks.

Remediation

From the command line

  1. Run the modify-db-instance command to make the instance not publicly accessible.

    aws rds modify-db-instance
    --region INSERT_DB_INSTANCE_REGION \
    --db-instance-identifier INSERT_DB_INSTANCE_NAME \
    --no-publicly-accessible \
    --apply-immediately

  2. Run the revoke-security-group-ingress command to block any IPv4 address connecting to port 3306.

    aws ec2 revoke-security-group-ingress
    --region INSERT_DB_INSTANCE_REGION \
    --group-id INSERT_SECURITY_GROUP_ID \
    --protocol tcp \
    --port 3306 \
    --cidr 0.0.0.0/0

  3. For IPv6 you can use the same command from step 2 but use the --ip-permissions option instead. Reference this aws-cli documentation for more information.

  4. After removing the 0.0.0.0/0 or ::/0 cidr ranges from ingress you need to add in better cidr ranges using the authorize-security-group-ingress command.

    aws ec2 authorize-security-group-ingress
	   --region INSERT_DB_INSTANCE_REGION
    --group-id INSERT_SECURITY_GROUP_ID
    --protocol tcp
    --port 3306
    --cidr INSERT_SMALLER_CIDR_RANGE