Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unrestricted DB Security Group

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: RDS-001

Ensure that your AWS RDS DB security groups do not allow access from 0.0.0.0/0 (i.e. anywhere, every machine that has the ability to establish a connection) in order to reduce the risk of unauthorized access.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When RDS DB security groups allow unrestricted access (0.0.0.0/0), everyone and everything on the Internet can make a connection to your RDS database resources and this can increase the opportunity for malicious activities such as hacking or denial-of-service (DoS) attacks.

Note: This guide is intended only for the AWS accounts created before 2013.12.04 that support both EC2-Classic and EC2-VPC. If your AWS account was created after that date, it supports only EC2-VPC, which means that your RDS instances were created in a VPC (default or non-default) that is using VPC security groups instead of DB security groups.


Audit

To determine if your existing RDS DB security groups allow unrestricted access, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Security Groups. If there are no DB security groups available and the following message is displayed: “Your account does not support the EC2-Classic Platform in this region. DB Security Groups are only needed when the EC2-Classic Platform is supported.”, your RDS database instance are not using DB security groups. Otherwise, continue with the next step.

04 Select the DB security group that you want to examine and click on the details button (magnifying glass icon).

05 And check the CIDR/IP value listed in the Details column for each authorized connection. If the security group contains any rules that have set the CIDR/IP to 0.0.0.0/0 and the Status to authorized, the selected DB security group configuration is insecure and does not restrict access to the database instance(s).

06 Repeat steps no. 4 – 5 for each DB security group available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-db-security-groups command (OSX/Linux/UNIX) to list all RDS DB security groups names, available in the selected AWS region:

aws rds describe-db-security-groups
	--region us-east-1
	--query 'DBSecurityGroups[*].DBSecurityGroupName'

02 The command output should return each DB security group identifier:

[
    "default",
    "MySQLDatabaseSG"
]

03 Run again describe-db-security-groups command (OSX/Linux/UNIX) using a security group name as filter parameter, to determine if the selected DB security group allows unrestricted access:

aws rds describe-db-security-groups
	--region us-east-1
	--db-security-group-name MySQLDatabaseSG

04 The command output should return the security group metadata. If the security group contains any IPRanges entries that have set the CIDRIP parameter value to “0.0.0.0/0” and Status value to “authorized”, the selected DB security group configuration is insecure and does not restrict access to the database instance(s):

{
    "DBSecurityGroups": [
        {
            "VpcId": "vpc-f7ac5792",
            "DBSecurityGroupDescription": "RDS MySQL DB Security Group",
            "IPRanges": [
                {
                    "Status": "authorized",
                    "CIDRIP": "0.0.0.0/0"
                },
                {
                    "Status": "authorized",
                    "CIDRIP": "54.89.104.107/32"
                }
            ],
            "OwnerId": "123456789012",
            "EC2SecurityGroups": [],
            "DBSecurityGroupName": "MySQLDatabaseSG"
        }
    ]
}

05 Repeat steps no. 1 – 4 for each DB security group available in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

Remediation / Resolution

To update your RDS DB security groups configuration in order to restrict access, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under RDS Dashboard, click Security Groups.

04 Select the DB security group that you want to update and click on the details button (magnifying glass icon).

05 On the security group details page, identify any ingress rules that have the CIDR/IP value set to 0.0.0.0/0 and Status value to authorized and revoke them by clicking the Remove button next to each insecure rule. The revoked rule status will change from authorized to revoking. Once the revoking process is complete, the rule will be removed from the selected DB security group.

06 To authorize custom (secure) access to all instances that are associated with the selected DB security group, perform one of the following actions:

  1. To grant access to a certain IP address (e.g. application server instance IP):
    • Select CIDR/IP from the Connection Type dropdown list.
    • Enter the IP address CIDR (e.g. 54.89.104.107/32) that you want to authorize in the CIDR/IP to Authorize* field.
    • Click the Authorize button to add the rule.
  2. To grant access to an EC2 Security Group (e.g. application server EC2 security group):
    • Select EC2 Security Group from the Connection Type dropdown list.
    • Next to This account, select AWS Account to use a local security group or Another account to use another AWS account security group.
    • Select the security group name from the EC2 Security Group Name dropdown list.
    • Click the Authorize button to add the newly created rule.

07 Repeat steps no. 4 – 6 for each DB security group that you want to update, available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-db-security-groups command (OSX/Linux/UNIX) to list all RDS DB security groups names, available in the selected AWS region:

aws rds describe-db-security-groups
	--region us-east-1
	--query 'DBSecurityGroups[*].DBSecurityGroupName'

02 The command output should return each DB security group identifier:

[
    "default",
    "MySQLDatabaseSG"
]

03 Run again describe-db-security-groups command (OSX/Linux/UNIX) using a security group name as filter parameter, to determine if the selected DB security group allows unrestricted access:

aws rds describe-db-security-groups
	--region us-east-1
	--db-security-group-name MySQLDatabaseSG

04 The command output should return the security group metadata. If the security group contains any IPRanges entries that have the CIDRIP value set to “0.0.0.0/0” and the Status set to “authorized”, the selected DB security group configuration is insecure and needs to be updated:

{
    "DBSecurityGroups": [
        {
            "VpcId": "vpc-f7ac5792",
            "DBSecurityGroupDescription": "RDS MySQL DB Security Group",
            "IPRanges": [
                {
                    "Status": "authorized",
                    "CIDRIP": "0.0.0.0/0"
                },
                {
                    "Status": "authorized",
                    "CIDRIP": "54.89.104.107/32"
                }
            ],
            "OwnerId": "123456789012",
            "EC2SecurityGroups": [],
            "DBSecurityGroupName": "MySQLDatabaseSG"
        }
    ]
}

05 Run revoke-db-security-group-ingress command (OSX/Linux/UNIX) to revoke the DB security group ingress rule with the CIDR set to 0.0.0.0/0 that grants access to everyone:

aws aws rds revoke-db-security-group-ingress
	--region us-east-1
	--db-security-group-name MySQLDatabaseSG
	--cidrip 0.0.0.0/0

06 The command output should return the CIDR removed from the security group:

SECGROUP  MySQLDatabaseSG  RDS MySQL DB Security Group
IP-RANGE  0.0.0.0/0   revoking

07 Case A: Authorization based on IP/CIDR. Run authorize-db-security-group-ingress command (OSX/Linux/UNIX) to authorize custom access based on IP/CIDR to the instances associated with the selected DB security group:

aws rds authorize-db-security-group-ingress
	--region us-east-1
	--db-security-group-name MySQLDatabaseSG
	--cidrip 54.89.104.108/32

08 The command output should return the CIDR added to the security group:

SECGROUP  MySQLDatabaseSG  RDS MySQL DB Security Group
IP-RANGE  54.89.104.108/32   authorizing

09 Case B: Authorization based on EC2 security group. Run authorize-db-security-group-ingress command (OSX/Linux/UNIX) to authorize custom access based on existing EC2 security groups:

aws rds authorize-db-security-group-ingress
	--region us-east-1
	--db-security-group-name MySQLDatabaseSG
	--ec2-security-group-name EC2WebAppSG

10 The command output should return the CIDR added to the security group:

SECGROUP  MySQLDatabaseSG  RDS MySQL DB Security Group
EC2-SECGROUP EC2WebAppSG 123456789012 authorizing

11 11. Repeat steps no. 1 – 10 for each DB security group that you want to update, available in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

References

Publication date May 5, 2016