Use Data-Tier Security Group for RDS Databases

Risk Level: Medium (should be achieved)

Ensure that your Amazon RDS instances are using the dedicated data-tier security group in order to control and secure the access to their databases. This rule assumes that all AWS resources provisioned for your data tier are tagged with <data_tier_tag>:<data_tier_tag_value>, where <data_tier_tag> represents the tag name and <data_tier_tag_value> represents the tag value. Before this rule runs, the data-tier tags must be configured in the rule settings, on your TrendAI Vision One™ Cloud Risk Management Dashboard.

Security

The network access to your managed data tier must be tightly controlled using the security group created specifically for the AWS resources within this tier.

Note: Make sure that you replace all <data_tier_tag>:<data_tier_tag_value> tag placeholders found in the rule content with your own tag name and value created for the data tier.

Audit

To determine if your data-tier RDS instances are configured to use the security group created for the same tier, perform the following:

Using AWS Console

Identify the ID of the data-tier security group provisioned within your AWS account by following the instructions outlined in this rule.
Sign into your TrendAI Vision One™ account to access Cloud Risk Management, access Use Data-Tier Security Group for RDS Databases rule settings and identify the tag set defined for all AWS resources available in your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).
Sign in to AWS Management Console.
Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.
In the left navigation panel, under Amazon RDS, click Instances.
Select the RDS database instance that you want to examine.
Scroll down and locate the Tags configuration section.
On the Tags panel, search for the tag set identified at step no. 1 (i.e. <data_tier_tag> : <data_tier_tag_value>). If the two tag sets do not match, or the verified resource is not tagged at all, the selected RDS instance is not a component of your data tier and the audit process ends here. If the tag sets match, the selected resource is a data-tier RDS database instance and the audit process continues with the next step.
Scroll up to find the Details panel and check the ID of the associated security group (e.g. sg-abcd1234), set as value for the Security Groups configuration attribute. Compare the associated security group ID with the ID of the data-tier group identified at step no. 1. If these two identifiers do not match, the data-tier security group is not currently assigned to the selected data-tier AWS RDS instance.
Repeat steps no. 6 –9 to check other data-tier RDS instances, provisioned in the selected region, for any association with the data-tier security group.
If necessary, change the AWS region from the navigation bar and repeat steps no. 6 – 10 for other regions.

Using AWS CLI

Find the ID of the data-tier security group available within your AWS account by following the instructions outlined in this rule.
Sign into your TrendAI Vision One™ account to access Cloud Risk Management, access Use Data-Tier Security Group for RDS Databases rule settings and identify the tag set defined for AWS resources available in your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).
Run describe-db-instances command (OSX/Linux/UNIX) using custom query filters to list the Amazon Resource Names (ARNs) of all AWS RDS database instances provisioned in the selected region:
```
aws rds describe-db-instances
	--region us-east-1
	--query 'DBInstances[*].DBInstanceArn'
```

The command output should return a list with the requested ARNs:

[
    "arn:aws:rds:us-west-2:123456789012:db:cc-project5-database",
    "arn:aws:rds:us-west-2:123456789012:db:cc-sql-srv-database",
    "arn:aws:rds:us-west-2:123456789012:db:cc-staging-database"
]

Run list-tags-for-resource command (OSX/Linux/UNIX) using the ARN of the database instance that you want to examine as parameter and custom query filters to describe the tags defined for the selected AWS RDS resource:
```
aws rds list-tags-for-resource
	--region us-east-1
	--resource-name arn:aws:rds:us-west-2:123456789012:db:cc-project5-database
	--query 'TagList[*].{Value:Value, Key:Key}'
```
The command request should return one of the following outputs:
1. If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified database instance is not tagged, therefore the audit process for the selected resource stops here:
```
	[]
	
```
2. If the command output returns a set of tags that is different than the one copied at step no. 2, as shown in the example below, the verified instance does not belong to your data tier, hence the audit process for the selected resource stops here:
```
	[
	    {
	        "Key": "Workload",
	        "Value": "MySqlDB"
	    }
	]
	
```
If the describe-tags command output returns a set of tags that match the one copied at step no. 2 (e.g. :), as shown in the example below, the verified Amazon RDS database instance is tagged as a data-tier resource, therefore the audit process continues with the next step:
```
[
    {
        "Key": "<data_tier_tag>",
        "Value": "<data_tier_tag_value>"
    }
]
```
Execute describe-db-instances command (OSX/Linux/UNIX) using the ARN of the data-tier RDS instance that you want to examine as identifier and custom query filters to return the information about the security group associated with the selected database instance:
```
aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier arn:aws:rds:us-west-2:123456789012:db:cc-project5-database
	--query "DBInstances[*].VpcSecurityGroups[]"
```
Compare the assigned security group ID, returned at the previous step as value for the VpcSecurityGroupId attribute, with the ID of the data-tier group identified at step no. 1. If these two identifiers do not match, the data-tier security group is not associated with the selected data-tier AWS RDS instance.
Repeat steps no. 5 – 8 to check other data-tier RDS instances, available in the selected region, for association with the data-tier security group.
If required, change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 9 to perform the audit process for other regions.

Remediation / Resolution

To reconfigure your Amazon RDS database instances in order to use the data-tier security group, perform the following actions:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.
In the navigation panel, under Amazon RDS section, choose Instances.
Choose the RDS database instance that you want to reconfigure (see Audit section part I to identify the right resource) then click on its name (link).
Scroll down to the Details section then click the Modify button.
In the Network & Security configuration box, remove the noncompliant security group by clicking the x button next to its name, then select the security group created for the data tier. If the dedicated data-tier security group is not available within the selected region, follow the instructions presented in this rule to create one.
Once the security group is replaced within the instance configuration, click Continue.
On Modify DB Instance: <instance_name> page, in the Scheduling of Modifications section, choose whether to apply the changes immediately or wait and apply them automatically during the next scheduled maintenance window.
Click Modify DB Instance to complete the reconfiguration process.
Repeat steps no. 4 – 9 to reconfigure other data-tier RDS instances, deployed in the selected region, to use the data-tier security group.
If necessary, change the AWS region from the navigation bar and repeat steps no. 4 – 10 for other regions.

Using AWS CLI

Run modify-db-instance command (OSX/Linux/UNIX) using the name of the RDS database instance that you want to reconfigure as identifier (see Audit section part II to identify the right RDS resource) and the data-tier security group ID as parameter to replace the existing security group with the compliant one, within the configuration of the selected Amazon RDS instance. If the dedicated data-tier security group is not available within the selected region, follow the steps presented in this rule to create one. Use --apply-immediately parameter to apply the changes asynchronously and as soon as possible and --no-apply-immediately to apply them during the next scheduled maintenance window:
```
aws rds modify-db-instance
	--region us-east-1
	--db-instance-identifier cc-project5-database
	--vpc-security-group-ids sg-12345678
	--no-apply-immediately
```

The command output should return the modified database instance metadata:

{
    "DBInstance": {
        "LicenseModel": "general-public-license",
        "VpcSecurityGroups": [
            {
                "Status": "active",
                "VpcSecurityGroupId": "sg-12345678"
            }
        ],

        ...

        "DBInstanceStatus": "available",
        "AvailabilityZone": "us-east-1a",
        "StorageType": "gp2",
        "StorageEncrypted": false,
        "DBInstanceClass": "db.m4.xlarge",
        "DBInstanceIdentifier": "cc-project5-database"
    }
}

Repeat step no. 1 and 2 to check other data-tier RDS instances, provisioned in the selected region, for association with the data-tier security group.
If required, change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the entire process for other regions.

References

AWS Command Line Interface (CLI) Documentation
rds
describe-db-instances
list-tags-for-resource
describe-db-instances
modify-db-instance

Publication date Aug 31, 2018

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related RDS rules