Control: AWS > PCI v3.2.1 > RDS > 1 RDS snapshots should prohibit public access

This control checks whether Amazon RDS DB snapshots prohibit access by other accounts. You should also ensure that access to the snapshot and permission to change Amazon RDS configuration is restricted to authorized principals only.

Note that if the configuration is changed to allow public access, the AWS Config rule may not be able to detect the change for up to 12 hours. Until the AWS Config rule detects the change, the check passes even though the configuration violates the rule.

Remediation

To remove public access for Amazon RDS Databases

Open the Amazon RDS console.
Navigate to Snapshots and then select the public Snapshot you want to modify
From the Actions list, choose Share Snapshots
From DB snapshot visibility, choose Private
Under DB snapshot visibility, select for all
Choose Save

PCI requirement(s): 1.2.1, 1.3.1, 1.3.4, 1.3.6, 7.2.1

Resource Types

This control targets the following resource types:

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-pciv3-2-1#/control/types/rdsDbSnapshotProhibitPublicAccess

Category URI

tmod:@turbot/turbot#/control/categories/compliancePci

GraphQL

query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/rdsDbSnapshotProhibitPublicAccess") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/rdsDbSnapshotProhibitPublicAccess'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/rdsDbSnapshotProhibitPublicAccess"