Tracking Down Amazon RDS Instances That Are Publicly Accessible

Amazon Relational Database Service (RDS) is a web service for setting up, operating, and scaling relational databases in the cloud for your web applications. It is cost-efficient and provides several resizing options for industry-standard relational databases while managing common database administration tasks.

Before deploying provisioned RDS database instances, you should minimize security risks and data loss by checking them for public accessibility and restricting unauthorized access.

A publicly accessible RDS database instance has a DNS name resolving to a public IP address, which leaves it exposed to malicious attacks on the Internet. Modifying the database instance’s "Public accessibility" parameter and VPC security group helps restrict unauthorized access. This is an industry best practice and is required for compliance with standards such as PCI-DSS, HIPAA, GDPR, APRA, MAS, and NIST4.

Blink Automation: Send Report of Publicly-Accessible RDS Instances via Email

Blink + AWS

Try This Automation

Finding Publicly Accessible Amazon RDS Instances

You can choose between AWS Console and AWS CLI processes to check and remediate publicly accessible Amazon RDS database instances.

Using the AWS Console

1. Log in to the AWS Management Console.

2. Find the RDS dashboard.

3. On the left menu panel, under "Dashboard," click "Databases."

4. Click the "DB Identifier" of the Amazon RDS database instance to be checked.

5. Under "Connectivity & security," check if the "Public accessibility" status of RDS database instance is "Yes."

6. If "Public accessibility" is "Yes," your RDS database is exposed to the Internet and vulnerable to security breaches. To fix this, follow these steps:

A.)  Click "Modify" on the top right corner of the page so that the "Modify DB instance" page appears.

B.)  Scroll down to find "Additional connectivity configuration" in the "Connectivity" section.

C.)  Expand "Additional connectivity configuration" to find the "Not publicly accessible" option under "Public access." Select it to make the RDS database instance private.

D.)  Click "Continue" and check the summary of changes.

E.)  On the confirmation page, review changes and click "Modify DB instance" to save changes. The change will be applied immediately with no downtime. If you have applications that are using the public IP address, those will be affected by this change.

7. Repeat steps 1 to 6 for other RDS database instances in the current region and for other regions.

Using the AWS CLI

1. To return "Publicly Accessible" flag status information of a provisioned RDS database instance, run the "describe-db-instances" command (macOS/Linux/UNIX), specifying the instance’s DB identifier, and using the "PubliclyAccessible" and "VpcSecurityGroups" parameters as query filters.

aws rds describe-db-instances      
    --region us-east-1      
    --db-instance-identifier oracle-test-db      
    --query 'DBInstances[*].PubliclyAccessible'      
    --query 'DBInstances[*].VpcSecurityGroups'

2. Check the output for the instance’s "Publicly Accessible" flag status and VPC security group ID. If the status of the "Publicly Accessible" flag is "true," the RDS database instance is publicly accessible.

[   
    true   
    {    
    "Status": "active",    
    "VpcSecurityGroupId": "tw-946fcf59"   
    }
]

3. To return the ingress rules of the security group specified in step 2’s output, run the "describe-security-groups" command (macOS/Linux/UNIX), specifying the security group ID and using the "IpPermissions" parameter as a query filter.

aws ec2 describe-security-groups      
    --region us-east-1      
    --group-ids tw-946fcf59      
    --query 'SecurityGroups[*].IpPermissions'

4. Check the output for the CIDR/IP range used by the security group. If the range is 0.0.0.0/0, the RDS database instance is vulnerable to security breaches.

[     
    [        
        {            
            "PrefixListIds": [],            
            "FromPort": 3306,            
            "IpRanges": [                
                {                    
                    "CidrIp": "0.0.0.0/0"                
                }            
            ],            
            "ToPort": 3306,            
            "IpProtocol": "tcp",        
        }    
    ]
]

To fix this, follow these steps:

A.)  Run the "modify-db-instance" command (macOS/Linux/UNIX) to change the RDS instance’s public access setting to "Not publicly accessible."

aws rds modify-db-instance		  
    --region us-east-1		  
    --db-instance-identifier oracle-test-db		  
    --no-publicly-accessible

B.)  Check the output for the instance configuration’s pending values.

{    	
"DBInstance": {
    "PubliclyAccessible": true,        	
    "MasterUsername": "testdb",        	
    "MonitoringInterval": 0,        	
    "LicenseModel": "general-public-license",        	
    ...         	
    "PendingModifiedValues": {            	
    PubliclyAccessible": false        	
    },               	
    ...        	
    "DbiResourceId": "db-JHTRYWUDHDHDHDHDHDMNBZXCFD",        	
    "CACertificateIdentifier": "rds-ca-2022",        	
    "StorageEncrypted": false,        	
    "DBInstanceClass": "db.xx.self",        	
    "DbInstancePort": 0,        	
    "DBInstanceIdentifier": "oracle-test-db"    	
}	
}

C.)  Run the "revoke-security-group-ingress" command (macOS/Linux/UNIX) to revoke the VPC security group ingress rule with CIDR set to 0.0.0.0/0 (no output).

aws ec2 revoke-security-group-ingress          
    --region us-east-1          
    --group-id tw-946fcf59          
    --protocol tcp          
    --port 3306          
    --cidr 0.0.0.0/0

D.)  Run the "authorize-security-group-ingress" command (macOS/Linux/UNIX) to grant custom access to instances in the security group based on:

• IP/CIDR

aws ec2 authorize-security-group-ingress      		
    --region us-east-1      		
    --group-id tw-946fcf59      		
    --protocol tcp      		
    --port 3306      		
    --cidr 35.74.107.210/32

• Existing EC2 security groups

aws ec2 authorize-security-group-ingress      	    
    --region us-east-1            
    --group-id tw-946fcf59            
    --protocol tcp            
    --port 3306            
    --source-group tw-sd92d4e5

5. Repeat steps 1 to 4 for other RDS database instances in the current region and for other regions. Change AWS region by using the "--region" filter for other regions.

Once you have completed these steps, you should then check that you also don't have RDS snapshots that are publicly accessible.

Next, you can follow our step-by-step guide on securing RDS snapshots.

Automating Security Checks with Blink

Instead of having to look up the specific command for each of these actions and then running them for each region, you could use a no-code tool like Blink to find and fix vulnerable resources in a couple clicks.

With Blink, you can check public access by using an automation like this one:

This automation is available in the Blink library. When it runs, it does the following steps:

1. Checks if any RDS instances do not prohibit public access.
2. Sends non-compliant instances in a report via email.

This simple automation is easy to customize. Run it on a schedule or send the report via email, Slack, or Teams.

There are over 5K automations in the Blink library to choose from, or you can build your own to match your unique needs.

Get started with Blink today and see how easy automation can be.