<  Back to rules search

RDS instance is not publicly accessible

rds

Description

Secure your RDS instance, so it is not publicly accessible.

Rationale

Unrestricted access to your RDS instance allows everyone on the internet to establish a connection with your database. This can lead to brute-force, DoS/DDoS, or SQL injection attacks.

Remediation

From the command line

  1. Run the modify-db-instance command to make the instance not publicly accessible.

    aws rds modify-db-instance
        --region INSERT_DB_INSTANCE_REGION \
        --db-instance-identifier INSERT_DB_INSTANCE_NAME \
        --no-publicly-accessible \
        --apply-immediately
    
  2. Run the revoke-security-group-ingress command to block any IPv4 address connecting to port 3306.

    aws ec2 revoke-security-group-ingress
        --region INSERT_DB_INSTANCE_REGION \
        --group-id INSERT_SECURITY_GROUP_ID \
        --protocol tcp \
        --port 3306 \
        --cidr 0.0.0.0/0 
    
  3. For IPv6 you can use the same command from step 2 but use the --ip-permissions option instead. Reference this aws-cli documentation for more information.

  4. After removing the 0.0.0.0/0 or ::/0 cidr ranges from ingress you need to add in better cidr ranges using the authorize-security-group-ingress command.

    aws ec2 authorize-security-group-ingress
    	   --region INSERT_DB_INSTANCE_REGION
        --group-id INSERT_SECURITY_GROUP_ID
        --protocol tcp
        --port 3306
        --cidr INSERT_SMALLER_CIDR_RANGE