logo

Database

Unrestricted access between network segments - RDS

Need

Restrict access between network segments for RDS instances

Context

• Usage of Terraform for Infrastructure as Code (IaC)

• Usage of aws_db_instance for managing and interacting with AWS RDS database instances

Description

1. Non compliant code

resource "aws_db_instance" "default" {
  allocated_storage    = 20
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
  password             = "foobarbaz"...

The above Terraform code creates a publicly accessible AWS RDS instance without specifying a database subnet group. The `publicly_accessible` attribute is set to `true` which means that the database instance is accessible from the internet. This is a vulnerability because it allows unrestricted access between network segments. Any public or private subnet can connect to the RDS instance without any restrictions. This could potentially lead to unauthorized access to sensitive data stored in the database. The lack of a defined database subnet group means that the RDS instance is not associated with any particular subnet. This could lead to issues with network routing and access control as it is not clear which network rules apply to the database instance. To fix this vulnerability, a database subnet group should be defined and associated with the RDS instance. The `publicly_accessible` attribute should be set to `false` to ensure that the database instance is not publicly accessible.

2. Steps

• Create a Database Subnet Group in your AWS account.

• Specify the Database Subnet Group in the RDS resource configuration.

• Ensure that the RDS instance is not publicly accessible.

• Review and update the security group rules to restrict access to the RDS instance.

3. Secure code example

resource "aws_db_subnet_group" "default" {
  name       = "main"
  subnet_ids = ["subnet-xxxxxxxx", "subnet-yyyyyyyy"]

  tags = {
    Name = "Main database subnet group"
  }
...

The above code first creates a Database Subnet Group using the `aws_db_subnet_group` resource. The `subnet_ids` attribute should be replaced with the IDs of the subnets you want to include in the group. Then, it creates an RDS instance using the `aws_db_instance` resource. The `publicly_accessible` attribute is set to `false` to ensure that the RDS instance is not publicly accessible. The `db_subnet_group_name` attribute is set to the name of the Database Subnet Group created earlier. This ensures that the RDS instance is defined inside the Database Subnet Group, restricting access between network segments. Please note that you should replace the placeholders (`subnet-xxxxxxxx`, `subnet-yyyyyyyy`) with your actual subnet IDs. Also, ensure that the security group rules associated with the subnets restrict access to the RDS instance as per your requirements.