Aqua CSPM

RDS Publicly Accessible

Quick Info

Plugin TitleRDS Publicly Accessible
CloudAWS
CategoryRDS
DescriptionEnsures RDS instances are not launched into the public cloud
More InfoUnless there is a specific business requirement, RDS instances should not have a public endpoint and should be accessed from within a VPC only.
AWS Linkhttp://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html
Recommended ActionRemove the public endpoint from the RDS instance

Detailed Remediation Steps

  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for RDS.
  3. Scroll down the left navigation panel and choose “Databases”.
  4. Select the “Database” that needs to be verified and click on the selected “Databse” from the “DB identifier” column to access the database.
  5. Click on the “Connectivity & Security” under the selected database configuration page.
  6. Scroll down the “Connectivity & Security” tab and check the “Security” section.Check the “Public Accessibility” and if it’s “Yes” then selected database can launched into the public cloud .
  7. Repeat steps number 2 - 6 to check other RDS instances.
  8. Select the “Database” on which “Public Accessibility” needs to be disable. Click the “Modify” button at the top to make the necessary changes.
  9. Scroll down the “Modify DB Instance” page and check for “Public Accessibility” under “Network & Security”.
  10. On the “Public Accessibility” section under “Network & Security” click on the “No” button.
  11. Scroll down the “Modify DB Instance” page and click on “Continue” button.
  12. On the “Scheduling of modifications” choose “Apply immediately” so that it will made the above changes applied as soon as possible and click on the “Modify DB Instance” button.
  13. Repeat steps number 8 - 12 to remove the public endpoint from the RDS instances .