Block public access to Amazon RDS by using Cloud Custodian - AWS Prescriptive Guidance

Block public access to Amazon RDS by using Cloud Custodian

Created by abhay kumar (AWS) and Dwarika Patra (AWS)

Environment: Production

Technologies: Databases; Security, identity, compliance

Workload: All other workloads; Open-source

AWS services: Amazon RDS

Summary

Many organizations run their workloads and services on multiple cloud vendors. In these hybrid cloud environments, the cloud infrastructure needs strict cloud governance, in addition to the security provided by the individual cloud providers. A cloud database such as Amazon Relational Database Service (Amazon RDS) is one important service that must be monitored for any access and permission vulnerabilities. Although you can restrict access to the Amazon RDS database by configuring a security group, you can add a second layer of protection to prohibit actions such as public access. Ensuring public access is blocked will help you with General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI DSS) compliance.

Cloud Custodian is an open-source rules engine that you can use to enforce access restrictions for Amazon Web Services (AWS) resources such as Amazon RDS. With Cloud Custodian, you can set rules that validate the environment against defined security and compliance standards. You can use Cloud Custodian to manage your cloud environments by helping to ensure compliance with security policies, tag policies, and garbage collection of unused resources and cost management. With Cloud Custodian, you can use a single interface for implementing governance in a hybrid cloud environment. For example, you could use the Cloud Custodian interface to interact with AWS and Microsoft Azure, reducing the effort of working with mechanisms such as AWS Config, AWS security groups, and Azure policies.

This pattern provides instructions for using Cloud Custodian on AWS to enforce restriction of public accessibility on Amazon RDS instances.

Prerequisites and limitations

Prerequisites

  • An active AWS account

  • A key pair

  • AWS Lambda installed

Architecture

Target technology stack

  • Amazon RDS

  • AWS CloudTrail

  • AWS Lambda

  • Cloud Custodian

Target architecture

The following diagram shows Cloud Custodian deploying the policy to Lambda, AWS CloudTrail initiating the CreateDBInstance event, and the Lambda function setting PubliclyAccessible to false on Amazon RDS.

Using Cloud Custodian on AWS to restrict public access to Amazon RDS instances.

Tools

AWS services

  • AWS CloudTrail helps you audit the governance, compliance, and operational risk of your AWS account.

  • AWS Command Line Interface (AWS CLI) is an open-source tool that helps you interact with AWS services through commands in your command line shell.

  • AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.

  • AWS Lambda is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use.

  • Amazon Relational Database Service (Amazon RDS) helps you set up, operate, and scale a relational database in the AWS Cloud.

Other tools

  • Cloud Custodian unifies the tools and scripts that many organizations use to manage their public cloud accounts into one open source tool. It uses a stateless rules engine for policy definition and enforcement, with metrics, structured outputs, and detailed reporting for cloud infrastructure. It integrates tightly with a serverless runtime to provide real-time remediation and response with low operational overhead.

Epics

TaskDescriptionSkills required

Install AWS CLI.

To install AWS CLI, follow the instructions in the AWS documentation.

AWS administrator

Set up AWS credentials.

Configure the settings that the AWS CLI uses to interact with AWS, including the AWS Region and the output format that you want to use.

$>aws configure AWS Access Key ID [None]: <your_access_key_id> AWS Secret Access Key [None]: <your_secret_access_key> Default region name [None]: Default output format [None]:

For more information, see the AWS documentation.

AWS administrator

Create an IAM role.

To create an IAM role with the Lambda execution role, run the following command.

aws iam create-role --role-name lambda-ex --assume-role-policy-document '{"Version": "2012-10-17","Statement": [{ "Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"}]}
AWS DevOps
TaskDescriptionSkills required

Install Cloud Custodian.

To install Cloud Custodian for your operating system and environment, follow the instructions in the Cloud Custodian documentation.

DevOps engineer

Check the Cloud Custodian schema.

To see the complete list of Amazon RDS resources against which you can run policies, use the following command.

custodian schema aws.rds
DevOps engineer

Create the Cloud Custodian policy.

Save the code that’s under Cloud Custodian policy file in the Additional information section using a YAML extension.

DevOps engineer

Define Cloud Custodian actions to change the publicly accessible flag.

  1. Locate the custodian code (for example, /Users/abcd/custodian/lib/python3.9/site-packages/c7n/resources/rds.py).

  2. Locate the RDSSetPublicAvailability class in rds.py, and modify this class by using the code that’s under c7n resources rds.py file in the Additional information section.

DevOps engineer

Perform a dry run.

(Optional) To check which resources are identified by the policy without running any actions on the resources, use the following command.

custodian run -dryrun <policy_name>.yaml -s <output_directory>
DevOps engineer
TaskDescriptionSkills required

Deploy the policy by using Lambda.

To create the Lambda function that will run the policy, use the following command.

custodian run -s policy.yaml

This policy will then be initiated by the AWS CloudTrail CreateDBInstance event.

As a result, AWS Lambda will set the publicly accessible flag to false for instances that match the criteria.

DevOps engineer

Related resources

Additional information

Cloud Custodian policy YAML file

policies: - name: "block-public-access" resource: rds description: | This Enforcement blocks public access for RDS instances. mode: type: cloudtrail events: - event: CreateDBInstance # Create RDS instance cloudtrail event source: rds.amazonaws.com ids: requestParameters.dBInstanceIdentifier role: arn:aws:iam::1234567890:role/Custodian-compliance-role filters: - type: event key: 'detail.requestParameters.publiclyAccessible' value: true actions: - type: set-public-access state: false

c7n resources rds.py file

@actions.register('set-public-access') class RDSSetPublicAvailability(BaseAction): schema = type_schema( "set-public-access", state={'type': 'boolean'}) permissions = ('rds:ModifyDBInstance',) def set_accessibility(self, r): client = local_session(self.manager.session_factory).client('rds') waiter = client.get_waiter('db_instance_available') waiter.wait(DBInstanceIdentifier=r['DBInstanceIdentifier']) client.modify_db_instance( DBInstanceIdentifier=r['DBInstanceIdentifier'], PubliclyAccessible=self.data.get('state', False)) def process(self, rds): with self.executor_factory(max_workers=2) as w: futures = {w.submit(self.set_accessibility, r): r for r in rds} for f in as_completed(futures): if f.exception(): self.log.error( "Exception setting public access on %s \n %s", futures[f]['DBInstanceIdentifier'], f.exception()) return rds

Security Hub integration

Cloud Custodian can be integrated with AWS Security Hub to send security findings and attempt remediation actions. For more information, see Announcing Cloud Custodian Integration with AWS Security Hub.