AWS-RDS-Instance-Security-Group-block-Inbound-from-any-source

Severity: High

Description: This control ensures that the DB Security Groups associated with the RDS Instance does not allow ingress from any IP (0.0.0.0/0 or ::/0). Allowing public inbound access from Internet poses a serious security threat to the DB Instance as anyone can access the instance. The concept of "deny-all allow-by-exception" should be followed when network rules are defined. Access from sources "0.0.0.0/0" or "::/0" should be avoided".

Remediation Steps:

Perform following to update RDS instance security group :

Login to the AWS Management Console at https://console.aws.amazon.com as root user.
Navigate to VPC console.
Step1 - Create new Security Group
1. choose Security Groups.
2. Click Create Security Group.
3. Enter the Security group name and Description.
4. Select an appropriate VPC for the security group.
5. Click Create.
6. Select the new created security group.
7. Under security group descriptions, apply appropriate Inbound Rules and Outbound Rules.
Step 2 - Remove rules providing inbound access from any IP (0.0.0.0/0 or ::0)
1. On Navigation pane on left side, click Security Groups under Security.
2. Select the Security Group to be modified.
3. Under security group descriptions, go to Inbound Rules tab.
4. Click Edit Rules button.
5. Click on the cross button next to any rule having source as either 0.0.0.0/0 or ::/0.
6. Click Save rules.
Step 2 - Assign a Security Group to an RDS DB Instance
1. In the Navigation pane, choose Databases.
2. Click on the Database instance to be modified, click Modify.
3. Under the Network & Security, choose the appropriate security groups for Security group option.
4. Click on the Continue.
5. Under Scheduling of modifications option select Apply Immediately.
6. Click on Modify DB Instance.

Important:

Reference :

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html