TL;DR
Your AWS RDS MySQL database is publicly accessible, which is a major security risk. This guide will walk you through the steps to restrict access using Security Groups and Network ACLs, ensuring only authorized connections can reach your database.
Steps to Secure Your Database
- Identify the Publicly Accessible Security Group:
- Go to the AWS RDS console.
- Select your MySQL DB instance.
- In the ‘Connectivity & security’ tab, find the ‘VPC security groups’. Note the name of the security group associated with your database.
- Navigate to the EC2 console and select ‘Security Groups’ under ‘Network & Security’.
- Find the security group you identified in step 1.
- Edit the inbound rules of this security group.
- Remove any rule that allows access from `0.0.0.0/0` or `::/0`. These allow all IPs to connect.
- Add specific IP addresses or CIDR blocks that should have access. For example, your office IP address (e.g.,
203.0.113.0/24) or the IP of a jump box server. - Ensure you allow SSH access from trusted IPs if needed for maintenance.
- Navigate to the VPC console and select ‘Network ACLs’.
- Identify the network ACL associated with the subnet your RDS instance is in.
- Check both inbound and outbound rules.
- Ensure that inbound rules allow traffic on port 3306 (MySQL default) only from the security group you modified earlier or specific trusted IPs. Outbound rules should generally allow all traffic, but review for any unexpected restrictions.
- From a machine with an allowed IP address, attempt to connect to your database using a MySQL client (e.g.,
mysql -h -u -p). - From a machine with a blocked IP address, verify that the connection is refused.
- For enhanced security, especially if you need to access your database from other VPCs, consider using AWS PrivateLink. This creates a private endpoint within your VPC, eliminating public internet exposure.
- Enable RDS enhanced monitoring for detailed performance metrics.
- Configure audit logging to track database activity and identify potential security breaches.
By following these steps, you significantly improve the cyber security of your AWS RDS MySQL database by restricting access to authorized sources only.