VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports

Description

RDS security groups should permit access only to necessary ports to prevent access to potentially vulnerable services on other ports.

Console Remediation Steps

• Navigate to VPC.

• In the left navigation, select Security Groups.

• Select the desired security group and click the Inbound tab.

• Click Edit rules.

• Remove any permissions that allow ‘0.0.0.0/0’ to all ports.

CLI Remediation Steps

• Remove ingress rules which allow connectivity from anywhere to all ports and protocols:

  • aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions

Documentation Links

• Adding, Removing, and Updating Rules

• Revoke Security Group Ingress