AWS RDS Snapshots Are Accessible To Public

This policy identifies AWS RDS snapshots which are accessible to public. Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to setup and manage databases. If RDS snapshots are inadvertently shared to public, any unauthorized user with AWS console access can gain access to the snapshots and gain access to sensitive data.

Policy Details

Policy Subtype
Run, Build
Severity
High
Template Type
Terraform, CloudFormation

Build Rules

AWS RDS snapshots are accessible to public.
JSON Queries:
CloudFormation
$.Resources.*[?(@.Type == 'AWS::RDS::DBInstance')] exists and $.Resources.*[?(@.Type == 'AWS::RDS::DBInstance')].Properties.PubliclyAccessible anyTrue
Terraform
$.resource[*].aws_db_instance exists and ($.resource[*].aws_db_instance[*].*[*].publicly_accessible !exists or $.resource[*].aws_db_instance[*].*[*].publicly_accessible anyTrue)
Recommendations:
  • CloudFormation
    Recommended solution for making sure that RDS Instances are not accessible to pubic.
    It is recommended that RDS snapshots are not accessible to public. Please make sure that if "PubliclyAccessible" attribute exists, it is set to "false".
    For example:
    "rdsagoyal21postgreuswest1db": { "Type": "AWS::RDS::DBInstance", "Properties": { "PubliclyAccessible": "false", "StorageType": "gp2", "BackupRetentionPeriod": "0" } }
  • Terraform
    Recommended solution for making sure RDS snapshots are not accessible to public.
    Ensure that AWS RDS snapshots are not accessible to public. Please make sure "publicly_accessible" attribute is set to false for "aws_db_instance" block.
    For example:
    "aws_db_instance": [ { "<db_instance_name>": [ { "instance_class": "db.t2.micro", "name": "mydb", "password": "foobarbaz", "publicly_accessible": false, "storage_type": "gp2", "username": "foo" } ] } ]

Run Rule Recommendation

  1. Sign in to the AWS console.
  2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated.
  3. Navigate to the 'RDS' service.
  4. For the RDS instance reported in the alert, change 'Publicly Accessible' setting to 'No'.
Remediation CLI Command:
aws rds --region ${region} modify-db-snapshot-attribute --db-snapshot-identifier ${resourceId} --attribute-name restore --values-to-remove "all"
CLI Command Description:
This CLI command requires 'rds:ModifyDBSnapshotAttribute' permission. Successful execution will reset this RDS snapshot's ACL (Access Control List) to private. This will ensure that only Owner has full privileges.

Compliance

There are 12 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • PIPEDA
  • NIST 800-171 Rev1
  • NIST CSF
  • NIST 800-53 Rev4
  • HITRUST CSF v9.3
  • GDPR
  • CSA CCM v3.0.1
  • SOC 2
  • ISO 27001:2013
  • PCI DSS v3.2
  • CCPA 2018

Recommended For You