CIS AWS 5.1 (Ensure RDS instances are not publicly accessible) requires: RDS database instances should not be publicly accessible from the internet. This is a critical-severity control.

How does EchelonGraph detect CIS AWS 5.1 violations?

EchelonGraph automatically detects CIS AWS 5.1 violations using scanner rule AWS-RDS-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS AWS 5.1?

Which RDS instances have 'Publicly Accessible' set to Yes? Do any security groups for RDS allow 0.0.0.0/0? Are RDS instances in private subnets?

🟠CIS AWS 5.1Rule: AWS-RDS-001critical

Ensure RDS instances are not publicly accessible

Description

RDS database instances should not be publicly accessible from the internet.

⚠️ Risk Impact

Public RDS instances expose databases to brute-force attacks, SQL injection from any source, and unauthorized data access.

🔍 How EchelonGraph Detects This

AWS-RDS-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as critical-severity findings with remediation guidance.

🔧 Remediation

Modify RDS instance to disable public access: aws rds modify-db-instance --db-instance-identifier INSTANCE --no-publicly-accessible

💀 Real-World Attack Scenario

An RDS MySQL instance with public accessibility was discovered through Shodan. The attacker used a timing-based SQL injection to extract the user table, then escalated to database admin via a MySQL privilege escalation bug. They installed a backdoor stored procedure that emailed account data to an external address every 24 hours.

💰 Cost of Non-Compliance

Public database breaches cost on average $4.88M. PCI DSS non-compliance for public CDE database: $5K-$100K/month in fines. HIPAA violations for public ePHI database: up to $1.9M/year.

📋 Audit Questions

1.Which RDS instances have 'Publicly Accessible' set to Yes?
2.Do any security groups for RDS allow 0.0.0.0/0?
3.Are RDS instances in private subnets?

🎯 MITRE ATT&CK Mapping

T1190 — Exploit Public-Facing ApplicationT1505.001 — SQL Stored Procedures

🏗️ Infrastructure as Code Fix

main.tf

resource "aws_db_instance" "main" {
  publicly_accessible    = false
  db_subnet_group_name   = aws_db_subnet_group.private.name
  vpc_security_group_ids = [aws_security_group.db.id]
}

⚡ Common Pitfalls

⛔Setting Publicly Accessible to false but placing the instance in a public subnet
⛔Using default VPC (has public subnet routing) for RDS instances
⛔Not reviewing RDS instances in non-production regions

📈 Business Value

Private-only RDS instances eliminate the entire class of internet-facing database attacks. Combined with IAM authentication, it provides the highest level of database access security.

⏱️ Effort Estimate

Manual

2-4 hours per instance to migrate to private subnets

With EchelonGraph

EchelonGraph detects public RDS instances across all accounts and regions

🔗 Cross-Framework References

SOC2-CC6.6ISO27001-A.13.1.3PCI-1.3.6

Automate CIS AWS 5.1 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →