Logo of Trend Micro

Disable Public Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Very High (act immediately)
Rule ID: AlibabaCloud-RDS-003

Ensure that your RDS database instances are configured to accept connections only from trusted networks (i.e. authorized IP addresses/IP address ranges) in order to protect against unapproved access.

Security

If the IP address allowlist configured for your RDS database instance allows unrestricted access (i.e. 0.0.0.0/0), all public IP addresses are allowed to establish a connection to your database instance and this can increase the opportunity for malicious activities such as brute-force attacks, SQL injection, and DDoS attacks. To protect against such attacks, ensure that your RDS database instances are configured to accept connections from trusted networks only.

Audit

To determine if your Alibaba Cloud RDS database instances are publicly accessible, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Click on the ID (link) of the SQL database instance that you want to examine, listed in the Instance ID/Name column.

05 In the RDS resource navigation panel, choose Whitelist and SecGroup to access the IP allowlist configured for the selected database instance.

06 Select the Whitelist Settings tab and click on the name of each IP allowlist available, to show the panel with the IP addresses/IP adress ranges authorized to access the database instance. If one or more IP allowlists contain 0.0.0.0/0 or /0, the selected RDS database instance selected is publicly accessible and prone to security risks.

07 Repeat steps no. 4 – 6 for each database instance provisioned in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run DescribeDBInstances command (OSX/Linux/UNIX) with custom output filters to list the ID of each RDS database instance available within your Alibaba Cloud account: 

aliyun rds DescribeDBInstances
  --output cols=DBInstanceId

02 The command output should return a list with the requested database instance identifiers: 

DBInstanceId
------------
rm-abcd1234abcd1234
rm-1234abcd1234abcd

03 Run DescribeDBInstanceIPArrayList command (OSX/Linux/UNIX) with the name of the RDS database instance that you want to examine as the identifier parameter, to describe the IP address allowlists defined for the selected RDS instance: 

aliyun rds DescribeDBInstanceIPArrayList
  --DBInstanceId rm-abcd1234abcd1234
  --output cols=SecurityIPList

04 The command output should return the list with the IP addresses/IP adress ranges authorized to access the specified database instance: 

SecurityIPList
--------------
0.0.0.0/0,10.0.0.15/32,172.16.0.0/12

If the "SecurityIPList" attribute value contain 0.0.0.0/0 or /0, as shown in the example above, the selected RDS database instance selected is publicly accessible and prone to security risks.

05 Repeat steps no. 3 and 4 for each database instance provisioned within your Alibaba Cloud account.

Remediation / Resolution

To ensure that your RDS database instances are configured to accept connections only from trusted networks (i.e. authorized IP addresses/IP address ranges), perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Click on the ID (link) of the SQL database instance that you want to examine, listed in the Instance ID/Name column.

05 In the RDS resource navigation panel, choose Whitelist and SecGroup to access the IP allowlist configured for the selected database instance.

06 Select the Whitelist Settings tab, choose the IP allowlist that you want to configure, and select Modify.

07 In the Edit Whitelist configuration box, remove any instance of 0.0.0.0/0 from the IP Addresses section, enter the IP addresses/IP address ranges that are authorized to access the specified RDS instance, and choose OK to save the changes. To correctly add multiple IP addresses and CIDR blocks to an IP address allowlist, use commas (,) to separate them. Avoid adding spaces before or after the commas.

08 You can also choose Create Whitelist to create a new IP allowlist for the IP addresses/IP address ranges that are allowed to access the selected RDS instance. Provide a allowlist name and the list of the authorized IP addresses, then choose OK to save the changes.

09 Repeat steps no. 6 and 7 for each IP allowlist that you want to configure, available for the selected RDS database instance.

10 Repeat steps no. 4 – 9 for each RDS database instance available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run ModifySecurityIps command (OSX/Linux/UNIX) with the --ModifyMode parameter set Delete to remove 0.0.0.0/0 from the IP allowlist configured for the selected RDS database instance: 

aliyun rds ModifySecurityIps
  --DBInstanceId rm-abcd1234abcd1234
  --SecurityIps "0.0.0.0/0"
  --ModifyMode Delete

02 If successful, the output should return the command request and task ID: 

{
	"TaskId": 100193560,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

03 Run ModifySecurityIps command (OSX/Linux/UNIX) with the --ModifyMode parameter set Append to add one or more authorized IP addresses/IP address ranges to the IP allowlist configured for the selected RDS instance. To add multiple IP addresses and CIDR blocks to an IP address allowlist, use commas (,) to separate them. Avoid adding spaces before or after the commas: 

aliyun rds ModifySecurityIps
  --DBInstanceId rm-abcd1234abcd1234
  --SecurityIps "10.15.1.0/24"
  --ModifyMode Append

04 The command output should return the command request and task ID: 

{
	"TaskId": 100193797,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

05 Repeat steps no. 1 - 4 for each RDS database instance available within your Alibaba Cloud account.

References

Publication date Feb 26, 2024

Related AlibabaCloud-RDS rules