Preventing Public Accessibility on DB Instances
When to Enable Public Accessibility
To enhance the security of AWS RDS and DB instances, they should not have public accessibility enabled. Restricting unauthorized access will minimize the risk of compromise to your DB instances. To accomplish this and prevent public accessibility, your organization can utilize IAM policies and security groups.
Transcription
Restriction of access to RDS instances is a critical part of your AWS security posture. The organization should restrict access using a combination of both Identity and Access Management policies as well as security groups. Restriction of access to EC2 instance internal connections as well as using IAM policies to restrict access to the RDS control panel will help you, as an organization, ensure that you have appropriately protected your RDS deployments.
Related Videos
Basic Tools for AWS Security
Cloud Attacks on the Rise
Do All Keys Have Resources Attached?
Enable Role Based Access Control (RBAC) for Azure Key Vault
Encrypt Kubernetes Secrets Using Keys
Encrypting Traffic In and Out of AWS
Encryption Decisions for Your Technology Stack
Encryption Opportunities
Encryption for EBS Volumes
Encryption for S3 Buckets
Enforce Separation of Duties When Assigning KMS Related Roles
Enforcing Strong TLS Ciphers
Ensure KMS Cryptokeys Are Not Publicly Accessible
Ensure Use of CMKs for Unattached Disks' (CMK)
Ensure that Virtual Hard Disks Are Encrypted
Ensure that an Expiration Date Is Set for All Keys in Non-RBAC Key Vaults
Ensure that an Expiration Date Is Set for All Secrets in Non-RBAC Key Vaults
Ensure the Key Vault Is Recoverable
Events that Drive Key Rotation
FAQs for Amazon S3 Security
How to Configure Encryption for EBS Volumes on Existing EC2 Instances
How to Configure Encryption for EBS Volumes on New EC2 Instances
How to Configure Encryption for RDS
How to Configure Encryption for S3 Buckets
Install Endpoint Protection for All Virtual Machines
Introduction to Amazon Inspector
Key Rotation and Management
Load Balancers Must Require TLS 1.2
Only Install Company-Approved Extensions on Your Virtual Machines
PCI Requirement 3.1 - Keep Cardholder Data Storage to a Minimum
PCI Requirement 3.2 - Do Not Store Sensitive Authentication Data After Authorization
PCI Requirement 3.3 Mask PAN when Displayed
PCI Requirement 3.4 Render PAN Unreadable Anywhere it Is Stored
PCI Requirement 3.4.1 Logical Access Management
PCI Requirement 3.5 Document & Implement Procedures to Protect Keys
PCI Requirement 3.5.1 Maintain a Documented Description of The Cryptographic Architecture
PCI Requirement 3.5.2 Restrict Access to Cryptographic Keys
PCI Requirement 3.5.3 Store Secret and Private Keys Used to Encrypt/Decrypt Cardholder Data
PCI Requirement 3.5.4 Store Cryptographic Keys in The Fewest Possible Locations
PCI Requirement 3.6 Document & Implement all Key-Management Processes & Procedures
PCI Requirement 3.6.1 Generation of Strong Cryptographic Keys
PCI Requirement 3.6.2 Secure Cryptographic Key Distribution
PCI Requirement 3.6.3 Secure Cryptographic Key Storage
PCI Requirement 3.6.4 Cryptographic Key Changes at Cryptoperiod Completion
PCI Requirement 3.6.5 Replacing Weakened Keys
PCI Requirement 3.6.6 Using Split Knowledge & Dual Control
PCI Requirement 3.6.7 Prevention of Unauthorized Substitution of Cryptographic Keys
PCI Requirement 3.6.8 Key-Custodian Responsibilities
PCI Requirement 3.7 Security Policies & Operational Procedures
PCI Requirement 4.1 – Use Strong Cryptography & Security Protocols to Safeguard Sensitive CHD
PCI Requirement 4.1.1 – Ensure Wireless Network Transmitting CHD Use Strong Encryption
PCI Requirement 4.3 – Ensure Security Policies and Procedures are Known to all Affected Parties
PCI Requirements 3.2.1, 3.2.2, & 3.2.3 Do Not Store Tracks, Codes, or PINs After Authorization
Re-Keying for Decryption
Requirement 4 - Encrypt Transmission of Cardholder Data Across Open, Public Networks
Requirement 4.2 – Never Send Unprotected PAN by End-User Technologies
Rotate KMS Encryption Keys Regularly
Route 53 Support for DNSSEC
Set Expiration Date for All Keys in RBAC Key Vaults
Set Expiration Date for All Secrets In RBAC Key Vaults
Take Advantage of Automatic Key Rotation within Azure Key Vault
The AWS Shared Responsibility Model
Use CMEK To Secure GKE Storage
Using AWS KMS
Using Prowler to Evaluate AWS Security
Using S3 Versioning
Using TLS 1.2 to Encrypt Data in Transit
