About
RDS instances can have a public IP address and be attached to an open security group.
Understanding Impact
Business Impact
Publicly accessible RDS databases are vulnerable to automated brute force and exploitation attacks. This increases the likelihood that the database is compromised and used for ransomware, extortion, or leaking sensitive data.
Technical Impact
An RDS instance can either sit inside a VPC with a private address or be assigned with a public IP. If it has a public IP and an open security group, anyone from the internet can perform brute force, password stuffing, or denial of service on the database.
Identify affected resources
Use the following AWS CLI command to identify any RDS instances in your account that have a public IP address:
aws rds describe-db-instances \
--query 'DBInstances[?PubliclyAccessible==`true`]'
Then, check if the associated security group for those instances is allowing anyone from the internet to access the database:
aws ec2 describe-security-groups \
--group-ids <security-group-id> \
--query 'SecurityGroups[*].IpPermissions'
Remediate vulnerable resources
The first step is to restrict access using your security group. For instance, you can restrict access to a known IP range used by system administrators.
Then, remove public access. This will make the RDS instance available only in a specific VPC.
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | RDS database instance should be inaccessible over the public internet".
References
Hiding a DB instance in a VPC from the internet
aws documentation