Home Publicly accessible AWS RDS instances – Why they should not be public

Publicly accessible AWS RDS instances – Why they should not be public

-

Ensuring cloud security is the priority for most of the organizations. Organizations want their cloud infrastructure to attain maximum security which will allow them to deploy their data, resources and focus on their business rather than getting worried about security threats. RDS is the relational database service provided by AWS and it is necessary to make sure that your AWS RDS instances are not publicly accessible.

Why AWS RDS instances should not be publicly accessible?

Each DB engine has its own unique and specific features. Users can control the accessibility and privacy of their AWS RDS instances configured in the VPC. It is recommended that RDS instance should not be publicly accessible to other services and resources in AWS. Public RDS instance means that other AWS users can access your database instance which can lead to misuse of the data. There may be a situation where you might be unaware of any public RDS database instance which may contain any sensitive data and is not supposed to be shared with other users.

How can Centilytics assist you

Centilytics provides an insight which shows the status of all your AWS RDS databases which are exposed to a public interface so that user can take suitable action against them from the AWS console.

Insight descriptions:

There can be 2 possible scenarios:

Severity Description
OK This indication will be displayed when RDS instance does not have public interface i.e. this RDS DB instance is not publicly accessible to other networks and resources in your cloud.
CRITICAL This indication will be displayed when RDS instance has a public interface i.e. this RDS instance is publicly accessible to other networks and resources in your cloud.

 

Description of further columns are as follows:

  1. Account Id: This column Shows the respective account ID of the user’s account.    RDS publicly accessible database-ss5
  2. Account Name: This column shows the corresponding account name to the user’s account.RDS publicly accessible database-ss4
  3. Region: This column shows the region in which the corresponding RDS instance exists.RDS publicly accessible database-ss6
  4. Identifier: This column shows the unique ARN or Amazon Resource Name corresponding to the resource. ARN is defined as a unique file naming convention which is used to identify and differentiate between multiple resources across AWS.RDS publicly accessible database-ss3
  5. RDS Instance Identifier: This column shows the corresponding database instance name.RDS publicly accessible database-ss1
  6. DB Engine: This column shows the corresponding database engine attached to the RDS instance such as MySQL, Postgres, Aurora etc.RDS publicly accessible database-ss2

Filters applicable:

Filter Name Description
Account Id Applying the account Id filter will display data for the selected account Id.
Region Applying region filter will display data according to the selected region.
Severity Applying severity filter will display data according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for warning and ok severity types
Resource Tags Applying resource tags filter will display those resources which have been assigned the selected resource tag. For eg- If the user has tagged some resource by a tag named environment, then selecting an environment from the resource tags filter will display all
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For eg- If the user has tagged some resource by a tag named environment and has given it a value say production (environment: production), then the user will be able to view data of all the resources which are tagged as “environment:production”.  can use the tag value filter only when a tag name has been provided.

 

Compliances covered:

Compliance Name Reference No. Link
PCI 1.3.4,1.3.5,1.3.7 https://docs.aws.amazon.com/quickstart/
latest/compliance-pci/welcome.html 
HIPAA 164.312(e)(1),164.312(c)(1) https://aws.amazon.com/quickstart/
architecture/compliance-hipaa/
ISO 27001 A.14.1.2, A.9.1.2, A.13.1.3,A.13.2.1 https://www.iso.org/standard/54534.html

 

 

Read more:

[1] https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html

[2] https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html

Cloud

Cloud Management