Summary Prerequisites and limitations Architecture Tools Epics Related resources Additional information

Block public access to Amazon RDS by using Cloud Custodian

Created by abhay kumar (AWS) and Dwarika Patra (AWS)

Environment: Production	Technologies: Databases; Security, identity, compliance	Workload: All other workloads; Open-source
AWS services: Amazon RDS

Summary

Many organizations run their workloads and services on multiple cloud vendors. In these hybrid cloud environments, the cloud infrastructure needs strict cloud governance, in addition to the security provided by the individual cloud providers. A cloud database such as Amazon Relational Database Service (Amazon RDS) is one important service that must be monitored for any access and permission vulnerabilities. Although you can restrict access to the Amazon RDS database by configuring a security group, you can add a second layer of protection to prohibit actions such as public access. Ensuring public access is blocked will help you with General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI DSS) compliance.

Cloud Custodian is an open-source rules engine that you can use to enforce access restrictions for Amazon Web Services (AWS) resources such as Amazon RDS. With Cloud Custodian, you can set rules that validate the environment against defined security and compliance standards. You can use Cloud Custodian to manage your cloud environments by helping to ensure compliance with security policies, tag policies, and garbage collection of unused resources and cost management. With Cloud Custodian, you can use a single interface for implementing governance in a hybrid cloud environment. For example, you could use the Cloud Custodian interface to interact with AWS and Microsoft Azure, reducing the effort of working with mechanisms such as AWS Config, AWS security groups, and Azure policies.

This pattern provides instructions for using Cloud Custodian on AWS to enforce restriction of public accessibility on Amazon RDS instances.

Prerequisites and limitations

Prerequisites

An active AWS account
A key pair
AWS Lambda installed

Architecture

Target technology stack

Amazon RDS
AWS CloudTrail
AWS Lambda
Cloud Custodian

Target architecture

The following diagram shows Cloud Custodian deploying the policy to Lambda, AWS CloudTrail initiating the CreateDBInstance event, and the Lambda function setting PubliclyAccessible to false on Amazon RDS.

Using Cloud Custodian on AWS to restrict public access to Amazon RDS instances.

Tools

AWS services

AWS CloudTrail helps you audit the governance, compliance, and operational risk of your AWS account.
AWS Command Line Interface (AWS CLI) is an open-source tool that helps you interact with AWS services through commands in your command line shell.
AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.
AWS Lambda is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use.
Amazon Relational Database Service (Amazon RDS) helps you set up, operate, and scale a relational database in the AWS Cloud.

Other tools

Cloud Custodian unifies the tools and scripts that many organizations use to manage their public cloud accounts into one open source tool. It uses a stateless rules engine for policy definition and enforcement, with metrics, structured outputs, and detailed reporting for cloud infrastructure. It integrates tightly with a serverless runtime to provide real-time remediation and response with low operational overhead.

Epics

Task Description Skills required

Task	Description	Skills required
Install AWS CLI.	To install AWS CLI, follow the instructions in the AWS documentation.	AWS administrator
Set up AWS credentials.	Configure the settings that the AWS CLI uses to interact with AWS, including the AWS Region and the output format that you want to use. `$>aws configure AWS Access Key ID [None]: <your_access_key_id> AWS Secret Access Key [None]: <your_secret_access_key> Default region name [None]: Default output format [None]:` For more information, see the AWS documentation.	AWS administrator
Create an IAM role.	To create an IAM role with the Lambda execution role, run the following command. `aws iam create-role --role-name lambda-ex --assume-role-policy-document '{"Version": "2012-10-17","Statement": [{ "Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"}]}`	AWS DevOps

Install AWS CLI.

To install AWS CLI, follow the instructions in the AWS documentation.

AWS administrator

Set up AWS credentials.

Configure the settings that the AWS CLI uses to interact with AWS, including the AWS Region and the output format that you want to use.


$>aws configure
AWS Access Key ID [None]: <your_access_key_id>
AWS Secret Access Key [None]: <your_secret_access_key>
Default region name [None]:
Default output format [None]:

For more information, see the AWS documentation.

AWS administrator

Create an IAM role.

To create an IAM role with the Lambda execution role, run the following command.


aws iam create-role --role-name lambda-ex --assume-role-policy-document '{"Version": "2012-10-17","Statement": [{ "Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"}]}

AWS DevOps

Task	Description	Skills required
Install Cloud Custodian.	To install Cloud Custodian for your operating system and environment, follow the instructions in the Cloud Custodian documentation.	DevOps engineer
Check the Cloud Custodian schema.	To see the complete list of Amazon RDS resources against which you can run policies, use the following command. `custodian schema aws.rds`	DevOps engineer
Create the Cloud Custodian policy.	Save the code that’s under Cloud Custodian policy file in the Additional information section using a YAML extension.	DevOps engineer
Define Cloud Custodian actions to change the publicly accessible flag.	Locate the custodian code (for example, `/Users/abcd/custodian/lib/python3.9/site-packages/c7n/resources/rds.py`). Locate the `RDSSetPublicAvailability` class in `rds.py`, and modify this class by using the code that’s under c7n resources rds.py file in the Additional information section.	DevOps engineer
Perform a dry run.	(Optional) To check which resources are identified by the policy without running any actions on the resources, use the following command. `custodian run -dryrun <policy_name>.yaml -s <output_directory>`	DevOps engineer

Task Description Skills required

Task	Description	Skills required
Deploy the policy by using Lambda.	To create the Lambda function that will run the policy, use the following command. `custodian run -s policy.yaml` This policy will then be initiated by the AWS CloudTrail `CreateDBInstance` event. As a result, AWS Lambda will set the publicly accessible flag to false for instances that match the criteria.	DevOps engineer

Deploy the policy by using Lambda.

To create the Lambda function that will run the policy, use the following command.


custodian run -s policy.yaml

This policy will then be initiated by the AWS CloudTrail CreateDBInstance event.

As a result, AWS Lambda will set the publicly accessible flag to false for instances that match the criteria.

DevOps engineer

Related resources

Additional information

Cloud Custodian policy YAML file


policies:
  - name: "block-public-access"
    resource: rds
    description: |
      This Enforcement blocks public access for RDS instances.
    mode:
      type: cloudtrail
      events:
        - event: CreateDBInstance # Create RDS instance cloudtrail event
          source: rds.amazonaws.com
          ids: requestParameters.dBInstanceIdentifier
      role: arn:aws:iam::1234567890:role/Custodian-compliance-role
    filters:
      - type: event
        key: 'detail.requestParameters.publiclyAccessible'
        value: true
    actions:
      - type: set-public-access
        state: false

c7n resources rds.py file


@actions.register('set-public-access')
 class RDSSetPublicAvailability(BaseAction):
 
     schema = type_schema(
         "set-public-access",
         state={'type': 'boolean'})
     permissions = ('rds:ModifyDBInstance',)
 
     def set_accessibility(self, r):
         client = local_session(self.manager.session_factory).client('rds')
         waiter = client.get_waiter('db_instance_available')
         waiter.wait(DBInstanceIdentifier=r['DBInstanceIdentifier'])
         client.modify_db_instance(
             DBInstanceIdentifier=r['DBInstanceIdentifier'],
             PubliclyAccessible=self.data.get('state', False))
 
 
     def process(self, rds):
         with self.executor_factory(max_workers=2) as w:
             futures = {w.submit(self.set_accessibility, r): r for r in rds}
             for f in as_completed(futures):
                 if f.exception():
                     self.log.error(
                         "Exception setting public access on %s  \n %s",
                         futures[f]['DBInstanceIdentifier'], f.exception())
         return rds

Security Hub integration

Cloud Custodian can be integrated with AWS Security Hub to send security findings and attempt remediation actions. For more information, see Announcing Cloud Custodian Integration with AWS Security Hub.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Automatically back up SAP HANA databases

Configure cross-account Amazon DynamoDB access