Profile Applicability:

  • Level 1


Description:

This control ensures that Amazon Relational Database Service (RDS) instances are not publicly accessible over the internet. A publicly accessible RDS instance can be reached from any IP address outside the organization’s private network, increasing the risk of unauthorized access, brute-force attacks, and data breaches. Instances should be placed in private subnets or have their public accessibility flag set to false.


Rationale:

RDS instances often store sensitive information, including customer data, credentials, and financial records. Exposing these databases to the public internet significantly increases attack surface and risk. Restricting public accessibility ensures that only internal applications or authorized users within the private network (e.g., VPC, VPN, or Direct Connect) can connect to the database, aligning with the principle of least privilege and network segmentation best practices.


Impact:

  • Positive Impact:Reduces risk of unauthorized access, data exfiltration, and exploitation.Ensures compliance with data protection and security standards (SOC 2, ISO 27001, HIPAA, PCI DSS, CIS).Strengthens overall network security posture.
  • Negative Impact:Instances that require legitimate external access (e.g., from trusted vendors or management systems) must be accessed through bastion hosts or VPN tunnels, requiring additional setup.


Default Value:

By default, RDS instances created using the AWS Management Console have the Publicly Accessible flag set to No, unless explicitly configured to be publicly available.


Pre-Requisite:

  • IAM permissions required: rds:DescribeDBInstances, rds:ModifyDBInstance.

  • Knowledge of which RDS instances must remain accessible internally and which should be private.


Remediation

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS → Databases.

  3. In the database list, review the Public accessibility column.

  4. Ensure all RDS instances display No under Public accessibility.

  5. For detailed verification:

    • Select the instance.

    • Under the Connectivity & security tab, check that Publicly accessible is set to No.

    • Confirm that the associated VPC subnet group is configured to use private subnets only.

  6. If any instance shows Yes, it is non-compliant and must be updated.



Implementation Plan 

Using AWS Console:

  1. Navigate to Amazon RDS → Databases.

  2. Select the publicly accessible instance.

  3. Choose Modify from the top-right corner.

  4. Under Connectivity, find the Public access section.

  5. Set Publicly accessible to No.

  6. Verify that the instance is part of a private subnet within your VPC.

  7. Choose Continue → Modify DB Instance.

  8. If prompted, choose to Apply immediately or during the next maintenance window.

  9. Validate connectivity by testing access from within the VPC to ensure applications still function correctly.


Backout Plan:

Using AWS Console:

  1. If legitimate access from outside the VPC is disrupted:
    • Create a bastion host or VPN connection within the VPC for secure remote access.
    • Alternatively, re-enable public accessibility temporarily (if absolutely required) and immediately restrict inbound traffic through security group rules to trusted IP addresses only.
  2. Document the exception and ensure it undergoes a security review.


References: