Use Data-Tier Security Group for RDS Databases

01 Identify the ID of the data-tier security group provisioned within your AWS account by following the instructions outlined in this conformity rule.

02 Sign in to your Cloud Conformity console, access Use Data-Tier Security Group for RDS Databases conformity rule settings and identify the tag set defined for all AWS resources available in your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

03 Sign in to AWS Management Console.

04 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

05 In the left navigation panel, under Amazon RDS, click Instances.

06 Select the RDS database instance that you want to examine.

07 Scroll down and locate the Tags configuration section.

08 On the Tags panel, search for the tag set identified at step no. 1 (i.e. <data_tier_tag> : <data_tier_tag_value>). If the two tag sets do not match, or the verified resource is not tagged at all, the selected RDS instance is not a component of your data tier and the audit process ends here. If the tag sets match, the selected resource is a data-tier RDS database instance and the audit process continues with the next step.

09 Scroll up to find the Details panel and check the ID of the associated security group (e.g. sg-abcd1234), set as value for the Security Groups configuration attribute. Compare the associated security group ID with the ID of the data-tier group identified at step no. 1. If these two identifiers do not match, the data-tier security group is not currently assigned to the selected data-tier AWS RDS instance.

10 Repeat steps no. 6 –9 to check other data-tier RDS instances, provisioned in the selected region, for any association with the data-tier security group.

11 If necessary, change the AWS region from the navigation bar and repeat steps no. 6 – 10 for other regions.

01 Find the ID of the data-tier security group available within your AWS account by following the instructions outlined in this conformity rule.

02 Sign in to your Cloud Conformity console, access Use Data-Tier Security Group for RDS Databases conformity rule settings and identify the tag set defined for AWS resources available in your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

03 Run describe-db-instances command (OSX/Linux/UNIX) using custom query filters to list the Amazon Resource Names (ARNs) of all AWS RDS database instances provisioned in the selected region:

aws rds describe-db-instances
	--region us-east-1
	--query 'DBInstances[*].DBInstanceArn'

04 The command output should return a list with the requested ARNs:

[
    "arn:aws:rds:us-west-2:123456789012:db:cc-project5-database",
    "arn:aws:rds:us-west-2:123456789012:db:cc-sql-srv-database",
    "arn:aws:rds:us-west-2:123456789012:db:cc-staging-database"
]

05 Run list-tags-for-resource command (OSX/Linux/UNIX) using the ARN of the database instance that you want to examine as parameter and custom query filters to describe the tags defined for the selected AWS RDS resource:

aws rds list-tags-for-resource
	--region us-east-1
	--resource-name arn:aws:rds:us-west-2:123456789012:db:cc-project5-database
	--query 'TagList[*].{Value:Value, Key:Key}'

06 The command request should return one of the following outputs:

1. If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified database instance is not tagged, therefore the audit process for the selected resource stops here:
   []
   

2. If the command output returns a set of tags that is different than the one copied at step no. 2, as shown in the example below, the verified instance does not belong to your data tier, hence the audit process for the selected resource stops here:
   [
       {
           "Key": "Workload",
           "Value": "MySqlDB"
       }
   ]
   

07 If the describe-tags command output returns a set of tags that match the one copied at step no. 2 (e.g. :), as shown in the example below, the verified Amazon RDS database instance is tagged as a data-tier resource, therefore the audit process continues with the next step:

[
    {
        "Key": "<data_tier_tag>",
        "Value": "<data_tier_tag_value>"
    }
]

08 Execute describe-db-instances command (OSX/Linux/UNIX) using the ARN of the data-tier RDS instance that you want to examine as identifier and custom query filters to return the information about the security group associated with the selected database instance:

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier arn:aws:rds:us-west-2:123456789012:db:cc-project5-database
	--query "DBInstances[*].VpcSecurityGroups[]"

09 Repeat steps no. 5 – 8 to check other data-tier RDS instances, available in the selected region, for association with the data-tier security group.

10 If required, change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 9 to perform the audit process for other regions.

01 Sign in to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS section, choose Instances.

04 Choose the RDS database instance that you want to reconfigure (see Audit section part I to identify the right resource) then click on its name (link).

05 Scroll down to the Details section then click the Modify button.

06 In the Network & Security configuration box, remove the noncompliant security group by clicking the x button next to its name, then select the security group created for the data tier. If the dedicated data-tier security group is not available within the selected region, follow the instructions presented in this conformity rule to create one.

07 Once the security group is replaced within the instance configuration, click Continue.

08 On Modify DB Instance: <instance_name> page, in the Scheduling of Modifications section, choose whether to apply the changes immediately or wait and apply them automatically during the next scheduled maintenance window.

09 Click Modify DB Instance to complete the reconfiguration process.

10 Repeat steps no. 4 – 9 to reconfigure other data-tier RDS instances, deployed in the selected region, to use the data-tier security group.

11 If necessary, change the AWS region from the navigation bar and repeat steps no. 4 – 10 for other regions.

01 Run modify-db-instance command (OSX/Linux/UNIX) using the name of the RDS database instance that you want to reconfigure as identifier (see Audit section part II to identify the right RDS resource) and the data-tier security group ID as parameter to replace the existing security group with the compliant one, within the configuration of the selected Amazon RDS instance. If the dedicated data-tier security group is not available within the selected region, follow the steps presented in this conformity rule to create one. Use --apply-immediately parameter to apply the changes asynchronously and as soon as possible and --no-apply-immediately to apply them during the next scheduled maintenance window:

aws rds modify-db-instance
	--region us-east-1
	--db-instance-identifier cc-project5-database
	--vpc-security-group-ids sg-12345678
	--no-apply-immediately

02 The command output should return the modified database instance metadata:

{
    "DBInstance": {
        "LicenseModel": "general-public-license",
        "VpcSecurityGroups": [
            {
                "Status": "active",
                "VpcSecurityGroupId": "sg-12345678"
            }
        ],

        ...

        "DBInstanceStatus": "available",
        "AvailabilityZone": "us-east-1a",
        "StorageType": "gp2",
        "StorageEncrypted": false,
        "DBInstanceClass": "db.m4.xlarge",
        "DBInstanceIdentifier": "cc-project5-database"
    }
}

03 Repeat step no. 1 and 2 to check other data-tier RDS instances, provisioned in the selected region, for association with the data-tier security group.

04 If required, change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the entire process for other regions.