turbot/alicloud_compliance
Loading controls...

Control: 6.2 Ensure that RDS Instances are not open to the world

Description

Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from the world.

Through the management console

From Console

  1. Logon to RDS Console.
  2. In the upper left corner, select the region where the target instance is located.
  3. Locate the target instance and click its ID.
  4. In the left-side navigation pane, click Data Security to visit the Security page.
  5. On the Whitelist Settings tab page, follow below instructions based on your scenario:
    • To access the RDS instance from an ECS instance located within a VPC, click Edit for the default VPC whitelist.
    • To access the RDS instance from an ECS instance located within a classic network, click Edit for the default Classic Network whitelist.
    • To access the RDS instance from a server or computer located in a public network, click Edit for the default Classic Network whitelist.
  6. In the displayed Edit Whitelist dialog box, remove any 0.0.0.0 or /0 entries, and only add the IP addresses that need to access the instance, and then click OK.
    • If you add an IP address range, such as 10.10.10.0/24, any IP address in 10.10.10.X format can access the RDS instance.
    • If you add multiple IP addresses or IP address ranges, separate them with a comma (without spaces), for example, 192.168.0.1,172.16.213.9.
    • You can click Add Internal IP Addresses of ECS Instance to display the IP addresses of all the ECS instances under your Alibaba Cloud account and add to the whitelist.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_6_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_6_2 --share

SQL

This control uses a named query:

rds_instance_restrict_access_to_internet

Tags