Ensure AWS RDS database instance is not publicly accessible

Error: AWS RDS database instance is publicly accessible

Bridgecrew Policy ID: BC_AWS_PUBLIC_2
Checkov Check ID: CKV_AWS_17
Severity: MEDIUM

AWS RDS database instance is publicly accessible

Description

Ensure that all your public AWS Application Load Balancer are integrated with the Web Application Firewall (AWS WAF) service to protect against application-layer attacks. An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply, and then selects a target from the target group for the rule action. You can configure listener rules to route requests to different target groups based on the content of the application traffic. Routing is performed independently for each target group, even when a target is registered with multiple target groups.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon RDS console.
  3. On the navigation pane, click Snapshots.
  4. Select the snapshot to encrypt.
  5. Navigate to Snapshot Actions, select Copy Snapshot.
  6. Select your Destination Region, then enter your New DB Snapshot Identifier.
  7. Set Enable Encryption to Yes.
  8. Select your Master Key from the list, then select Copy Snapshot.

Fix - Buildtime

Terraform

  • Resource: aws_db_instance
  • Argument: publicly_accessible
resource "aws_db_instance" "default" {
  ...
+ publicly_accessible   = false
}

CloudFormation

  • Resource: AWS::RDS::DBInstance
  • Argument: Properties.PubliclyAccessible
Type: 'AWS::RDS::DBInstance'
    Properties:
      ...
+     PubliclyAccessible: false