VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports¶
Description¶
RDS security groups should permit access only to necessary ports to prevent access to potentially vulnerable services on other ports.
Remediation Steps¶
AWS Console¶
Navigate to VPC.
In the left navigation, select Security Groups.
Select the desired security group and click the Inbound tab.
Click Edit rules.
Remove any permissions that allow ‘0.0.0.0/0’ to all ports.
AWS CLI¶
Remove ingress rules which allow connectivity from anywhere to all ports and protocols:
aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions <ip_permissions>
Terraform¶
Ensure that every aws_security_group
ingress
block associated with an RDS instance does NOT contain the following:A
0.0.0.0/0
in thecidr_blocks
fieldfrom_port
andto_port
range from0
to65535
, ORfrom_port
andto_port
are both set to0
Example Configuration¶
resource "aws_db_instance" "example" {
vpc_security_group_ids = [aws_security_group_example.id] # For RDS instance in non-default VPC
# other required fields here
}
resource "aws_security_group" "example" {
ingress {
cidr_blocks = [10.0.0.0/16]
from_port = 0
to_port = 65535
# other required fields here
}
}