Amazon Relational Database Service (RDS) is a web service for setting up, operating, and scaling relational databases in the cloud for your web applications. It is cost-efficient and provides several resizing options for industry-standard relational databases while managing common database administration tasks.
Before deploying provisioned RDS database instances, you should minimize security risks and data loss by checking them for public accessibility and restricting unauthorized access.
A publicly accessible RDS database instance has a DNS name resolving to a public IP address, which leaves it exposed to malicious attacks on the Internet. Modifying the database instance’s "Public accessibility" parameter and VPC security group helps restrict unauthorized access. This is an industry best practice and is required for compliance with standards such as PCI-DSS, HIPAA, GDPR, APRA, MAS, and NIST4.
Finding Publicly Accessible Amazon RDS Instances
You can choose between AWS Console and AWS CLI processes to check and remediate publicly accessible Amazon RDS database instances.
Using the AWS Console
1. Log in to the AWS Management Console.
2. Find the RDS dashboard.
3. On the left menu panel, under "Dashboard," click "Databases."
4. Click the "DB Identifier" of the Amazon RDS database instance to be checked.
5. Under "Connectivity & security," check if the "Public accessibility" status of RDS database instance is "Yes."
6. If "Public accessibility" is "Yes," your RDS database is exposed to the Internet and vulnerable to security breaches. To fix this, follow these steps:
A.) Click "Modify" on the top right corner of the page so that the "Modify DB instance" page appears.
B.) Scroll down to find "Additional connectivity configuration" in the "Connectivity" section.
C.) Expand "Additional connectivity configuration" to find the "Not publicly accessible" option under "Public access." Select it to make the RDS database instance private.
D.) Click "Continue" and check the summary of changes.
E.) On the confirmation page, review changes and click "Modify DB instance" to save changes. The change will be applied immediately with no downtime. If you have applications that are using the public IP address, those will be affected by this change.
7. Repeat steps 1 to 6 for other RDS database instances in the current region and for other regions.
Using the AWS CLI
1. To return "Publicly Accessible" flag status information of a provisioned RDS database instance, run the "describe-db-instances" command (macOS/Linux/UNIX), specifying the instance’s DB identifier, and using the "PubliclyAccessible" and "VpcSecurityGroups" parameters as query filters.
2. Check the output for the instance’s "Publicly Accessible" flag status and VPC security group ID. If the status of the "Publicly Accessible" flag is "true," the RDS database instance is publicly accessible.
3. To return the ingress rules of the security group specified in step 2’s output, run the "describe-security-groups" command (macOS/Linux/UNIX), specifying the security group ID and using the "IpPermissions" parameter as a query filter.
4. Check the output for the CIDR/IP range used by the security group. If the range is 0.0.0.0/0, the RDS database instance is vulnerable to security breaches.
To fix this, follow these steps:
A.) Run the "modify-db-instance" command (macOS/Linux/UNIX) to change the RDS instance’s public access setting to "Not publicly accessible."
B.) Check the output for the instance configuration’s pending values.
C.) Run the "revoke-security-group-ingress" command (macOS/Linux/UNIX) to revoke the VPC security group ingress rule with CIDR set to 0.0.0.0/0 (no output).
D.) Run the "authorize-security-group-ingress" command (macOS/Linux/UNIX) to grant custom access to instances in the security group based on:
- Existing EC2 security groups
5. Repeat steps 1 to 4 for other RDS database instances in the current region and for other regions. Change AWS region by using the "--region" filter for other regions.
Once you have completed these steps, you should then check that you also don't have RDS snapshots that are publicly accessible.
Next, you can follow our step-by-step guide on securing RDS snapshots.
Automating Security Checks with Blink
Instead of having to look up the specific command for each of these actions and then running them for each region, you could use a no-code tool like Blink to find and fix vulnerable resources in a couple clicks. Blink comes with pre-built automations for use cases just like this one, making it easy to enforce CloudOps best practices.
Get started and create your free Blink account today.