AWS IAM Permissions Guardrails

AWS IAM Permissions Guardrails https://aws-samples.github.io/aws-iam-permissions-guardrails/

View project on GitHub

Amazon Relational Database Service (RDS)

Identifier Guardrail Rationale Remediation References Policy IAM Actions
IAM-RDS-1 Check for separation of duties for administration of KMS keys and capability to perform encryption operations of the KMS Keys. Enabling encryption at rest for Amazon RDS or Amazon Aurora does not require the database administrator to have encrypt and decrypt capability. Over-privileged database administrator that are able to administrate the database as well as having KMS key access would be able to decrypt and view database encrypted data, such as backups. Separate out the privileges of database administration and access to the KMS keys. Create a Key Administrator Role for Create, Describe, List, Get. The RDS Service can have Encrypt, Decrypt, CreateGrants Actions using the condition keys kms:CallerAccount and kms:ViaService. https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-caller-account

https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service

 KMS Policy and IAM Policy.  
IAM-RDS-2 Check that only encrypted RDS or Aurora storage is allowed. Ensuring that databases can only be created that have encryption at rest is a preventive control. Alternatively, if databases are allowed to be created unencrypted, there needs to be additional detective controls with potential maintenance and downtime to convert the database to encryption at rest. Specify the ‘rds:StorageEncrypted’ condition key as part of any Create* IAM Actions. https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrds.html#amazonrds-rds_StorageEncrypted

 nan  
IAM-RDS-3 Check that only authorized principals can restore a database from snapshot. Unauthorized principals that can restore a snapshot can override and reset the master password. This is a potential attack vector to perform data exfiltration, whereby the malicious actor has access to restore the database with their defined master password. The malicious attacker can now access the data in the restored database as they have set the master password. Scope RestoreDBInstanceFromS3 and RestoreDBClusterFromS3 to authorized principals only. In environments with sensitive data, examples of principals that could be scoped would be automation and break glass roles. https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBClusterFromS3.html

https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromS3.html

 nan