VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports

Description

RDS security groups should permit access only to necessary ports to prevent access to potentially vulnerable services on other ports.

Remediation Steps

AWS Console

• Navigate to VPC.

• In the left navigation, select Security Groups.

• Select the desired security group and click the Inbound tab.

• Click Edit rules.

• Remove any permissions that allow ‘0.0.0.0/0’ to all ports.

AWS CLI

• Remove ingress rules which allow connectivity from anywhere to all ports and protocols:

  • aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions <ip_permissions>

Terraform

• Ensure that every aws_security_group ingress block associated with an RDS instance does NOT contain the following:

  • A 0.0.0.0/0 in the cidr_blocks field

  • from_port and to_port range from 0 to 65535, OR from_port and to_port are both set to 0

Example Configuration

resource "aws_db_instance" "example" {
  vpc_security_group_ids  = [aws_security_group_example.id] # For RDS instance in non-default VPC
  # other required fields here
}

resource "aws_security_group" "example" {
  ingress {
    cidr_blocks = [10.0.0.0/16]
    from_port   = 0
    to_port     = 65535
    # other required fields here
  }
}

Documentation Links

Console and CLI

• Security Groups for your VPC: Adding, Removing, and Updating Rules

• Updating Security Group Rules

• describe-security-groups Command Line Reference

• revoke-security-group-ingress Command Line Reference

Terraform

• Resource: db_instance

  • Field: vpc_security_group_ids

• Resource: aws_security_group

  • Field: ingress