Ensure that your Amazon RDS instances are using the dedicated data-tier security group in order to control and secure the access to their databases. This conformity rule assumes that all AWS resources provisioned for your data tier are tagged with <data_tier_tag>:<data_tier_tag_value>, where <data_tier_tag> represents the tag name and <data_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the data-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
The network access to your managed data tier must be tightly controlled using the security group created specifically for the AWS resources within this tier.
Note: Make sure that you replace all <data_tier_tag>:<data_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the data tier.
Audit
To determine if your data-tier RDS instances are configured to use the security group created for the same tier, perform the following:
Remediation / Resolution
To reconfigure your Amazon RDS database instances in order to use the data-tier security group, perform the following actions:
References
- AWS Documentation
- Security Groups for Your VPC
- Amazon EC2 Security Groups for Linux Instances
- Modifying an Amazon RDS DB Instance and Using the Apply Immediately Parameter
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- rds
- describe-db-instances
- list-tags-for-resource
- describe-db-instances
- modify-db-instance
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Use Data-Tier Security Group for RDS Databases
Risk Level: Medium