AWSOverview
Overview
In AWS, security groups can filter the traffic based on the security group of the source. Ideally, the security groups you use for your RDS instances only allow traffic originating from the application layer, which in most cases can be identified by certain security groups.
Remediation guidance
AWS remediation
Allow RDS access only from application security groups.
Console
- Open RDS instance security groups.
- Remove broad CIDR ingress for DB ports.
- Add inbound rules from application security group IDs only.
AWS CLI
aws ec2 authorize-security-group-ingress --group-id <db-sg-id> --protocol tcp --port <db-port> --source-group <app-sg-id>
aws ec2 revoke-security-group-ingress --group-id <db-sg-id> --protocol tcp --port <db-port> --cidr 0.0.0.0/0
References
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html
- https://docs.aws.amazon.com/cli/latest/reference/ec2/
Multiple Remediation Paths
AWS
SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.
PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.
References for Service-Wide Patterns
- AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
- AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- AWS: deploy/adjust organization conformance packs and policy guardrails.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
RDS Instances accept traffic only from the Application Servers
Connectors
Covered asset types
Expected check: eq []
{ dbInstances(where: {securityGroups_SOME: {rules_SOME: {direction: "Inbound", OR: [{destToPort_NOT_IN: [3306, 5432, 1521, 1433, 27017]}, {OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}]}}}) {...AssetFragment}}
