Skip to main content

Improper authorization control for web services - RDS

Description

Some RDS instances can be publicly accessible, which can compromise the stored information.

Impact

Obtain confidential information of the database.

Recommendation

Ensure that the relational databases are accesible only by users and roles authenticated and authorized.

Threat

Anonymous attacker on the Internet.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
  • Score:
    • Base: 5.3
    • Temporal: 4.8
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

All sensitive resources are safely configured with restricted access

resource "aws_rds_cluster_instance" "cluster_instances" {
count = 2
publicly_accessible = false
identifier = "aurora-cluster-demo-${count.index}"
cluster_identifier = aws_rds_cluster.default.id
instance_class = "db.r4.large"
engine = aws_rds_cluster.default.engine
engine_version = aws_rds_cluster.default.engine_version
}

The resource is securely encrypted

Resources:
RDSCluster1:
Properties:
DBClusterParameterGroupName:
Ref: RDSDBClusterParameterGroup
DBSubnetGroupName:
Ref: DBSubnetGroup
Engine: aurora
MasterUserPassword:
Ref: password
MasterUsername:
Ref: username
StorageEncrypted: true
Type: "AWS::RDS::DBCluster"

Non compliant code

There is a publicly accessible sensitive resource

resource "aws_rds_cluster_instance" "cluster_instances" {
count = 2
publicly_accessible = true
identifier = "aurora-cluster-demo-${count.index}"
cluster_identifier = aws_rds_cluster.default.id
instance_class = "db.r4.large"
engine = aws_rds_cluster.default.engine
engine_version = aws_rds_cluster.default.engine_version
}

Insecure encryption settings

Resources:
RDSCluster:
Properties:
DBClusterParameterGroupName:
Ref: RDSDBClusterParameterGroup
DBSubnetGroupName:
Ref: DBSubnetGroup
Engine: aurora
MasterUserPassword:
Ref: password
MasterUsername:
Ref: username
StorageEncrypted: false
Type: "AWS::RDS::DBCluster"

Using the AWS CLI, the following commands check if the RDS is publicly accessible

$ aws rds describe-db-instances
--region us-east-1
--db-instance-identifier mysql-production-db
--query 'DBInstances[*].PubliclyAccessible'
$ aws ec2 describe-security-groups
--region us-east-1
--group-ids {sg_id}
--query 'SecurityGroups[*].IpPermissions'

If the first command returns the flag True, and the security group associated with the instance is using the 0.0.0.0/0 CIDR/IP for inbound rules (second command), the RDS is publicly accessible and insecure

Requirements