Ensure that your AWS RDS DB security groups do not allow access from 0.0.0.0/0 (i.e. anywhere, every machine that has the ability to establish a connection) in order to reduce the risk of unauthorized access.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When RDS DB security groups allow unrestricted access (0.0.0.0/0), everyone and everything on the Internet can make a connection to your RDS database resources and this can increase the opportunity for malicious activities such as hacking or denial-of-service (DoS) attacks.
Note: This guide is intended only for the AWS accounts created before 2013.12.04 that support both EC2-Classic and EC2-VPC. If your AWS account was created after that date, it supports only EC2-VPC, which means that your RDS instances were created in a VPC (default or non-default) that is using VPC security groups instead of DB security groups.
Audit
To determine if your existing RDS DB security groups allow unrestricted access, perform the following:
Remediation / Resolution
To update your RDS DB security groups configuration in order to restrict access, perform the following:
References
- AWS Documentation
- Amazon RDS FAQs
- Security in Amazon RDS
- Amazon RDS Security Groups
- Working with DB Security Groups
- AWS Command Line Interface (CLI) Documentation
- rds
- describe-db-security-groups
- revoke-db-security-group-ingress
- authorize-db-security-group-ingress