Skip to main content
All CollectionsMonitoringTests
Test 220: AWS RDS Public Access Restricted
Test 220: AWS RDS Public Access Restricted

Drata validates that AWS RDS database instances do not allow unrestricted public access (0.0.0.0/0).

Updated over a month ago

Drata validates that AWS RDS database instances do not allow unrestricted public access (0.0.0.0/0). Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database PubliclyAccessible flag and update the VPC security group associated with the instance.

Ensure that no public-facing RDS database instances are provisioned in your AWS
account and restrict unauthorized access in order to minimize security risks. When the
RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the
Internet can establish a connection to your database and this can increase the
opportunity for malicious activities such as brute force attacks, PostgreSQL injections,
or DoS/DDoS attacks.

ASSOCIATED DRATA CONTROL

This test is part of the Restricted Public Access control (DCF-75) that ensures cloud resources are configured to deny public access.

WHAT TO DO IF A TEST FAILS

If Drata finds that one or more AWS RDS instances allow unrestricted access, the test will fail. When the RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.

STEPS TO REMEDIATE

For each failing RDS instance, update your subnet configuration from the 'Modify DB Instance' panel by ensuring the connectivity configuration is not publicly accessible and that the subnet configurations are updated so that the instance is not in a public subnet.

If the route table contains any entries with the GatewayId value set to igw-xxxxxxxx and the DestinationCidrBlock value set to 0.0.0.0/0, the selected RDS database instance was provisioned inside a public subnet, therefore is not running within a logically isolated environment and does not adhere to AWS security best practices.

Center for Internet Security (CIS)

This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.

Did this answer your question?