AWS RDS instances should not be present in public subnet

Cloud security refers to a set of policies, technologies or controls that are used to protect data, applications and associated infrastructure. Talking of security and data, Amazon RDS (Relational Database Service) has instances that store large volumes of crucial and sensitive organizational data. Organizations cannot afford to risk this data at any cost. So, it is important to make sure that your AWS RDS instances are secured. Therefore, certain security practices should be followed which help in securing your database and minimize the risk of security attacks in your cloud infrastructure.

Ensure that your Amazon RDS instances are not present in a public subnet

AWS allows RDS instances to be associated with a subnet via Amazon VPC. Subnets are used to manage incoming and outgoing traffic. A subnet is a logical section or subdivision of an IP network. It also allows interaction with different networks via IP addresses. The instances in the public subnet can send traffic directly to the internet, whereas the instances in the private subnet cannot send traffic directly to the internet.

It is recommended that your AWS RDS instances should not be present in a public subnet. This is because a public subnet does not provide a logically isolated environment for RDS instances to function and operate. This increases the risks of security attacks due to interaction with a third-party resource on the public internet.

Centilytics detects all Amazon RDS instances in your cloud infrastructure which are present in a public subnet. This insight also gives warnings to the users so that necessary actions can be taken.

Insight descriptions:

There can be 1 possible scenario:

Severity	Description
CRITICAL	This indication will be displayed when the corresponding Amazon RDS instance is associated with a public subnet and is having direct exposure to the public internet.

 

Description of further columns are as follows:

1.Account Id: This column shows the respective account ID of the user’s account.

2. Account Name: This column shows the corresponding account name of the user’s account.
3. Region: This column shows the region in which the resource exists.
4. Instance Identifier of Database: This column shows the name of the database instance in your AWS RDS.
5. Database (DB) Name: This column shows the name of the database in your RDS instance.
6. DB Instance Class: This column shows the instance class of your AWS RDS instance.

Filters applicable:

Filter Name	Description
Account Id	Applying the account Id filter will display data for the selected account Id.
Region	Applying the region filter will display data according to the selected region.
Severity	Applying severity filter will display data according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for warning and ok severity types
Resource Tags	Applying resource tags filter will display those public snapshots which have been assigned the selected resource tag. For e.g., A user has tagged some public snapshots by a resource tag named environment. Then selecting an environment from the resource tags filter will display all those snapshots.
Resource Tags Value	Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production). Hence, the user can view data of all the resources with the “environment:production” tag. The user can use the tag value filter only when a tag name has been provided.

 

To know more about AWS Relational Database Service (RDS), read this article.