Control: AWS > PCI v3.2.1 > RDS > 1 RDS snapshots should prohibit public access

This control checks whether Amazon RDS DB snapshots prohibit access by other accounts. You should also ensure that access to the snapshot and permission to change Amazon RDS configuration is restricted to authorized principals only.

Note that if the configuration is changed to allow public access, the AWS Config rule may not be able to detect the change for up to 12 hours. Until the AWS Config rule detects the change, the check passes even though the configuration violates the rule.

Remediation

To remove public access for Amazon RDS Databases

1. Open the Amazon RDS console. 2. Navigate to Snapshots and then select the public Snapshot you want to modify 3. From the Actions list, choose Share Snapshots 4. From DB snapshot visibility, choose Private 5. Under DB snapshot visibility, select for all 6. Choose Save

PCI requirement(s): 1.2.1, 1.3.1, 1.3.4, 1.3.6, 7.2.1

Resource Types

This control targets the following resource types:

Policies

This control type relies on these other policies when running actions:

AWS > PCI v3.2.1

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-pciv3-2-1#/control/types/rdsDbSnapshotProhibitPublicAccess

Category URI

tmod:@turbot/turbot#/control/categories/compliancePci

GraphQL

query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/rdsDbSnapshotProhibitPublicAccess") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/rdsDbSnapshotProhibitPublicAccess'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/rdsDbSnapshotProhibitPublicAccess"