AWS-019 Amazon Web Services (AWS)

No Security Group exposes database ports (3306/5432/1433/27017) to 0.0.0.0/0.

No Security Group exposes database ports (3306/5432/1433/27017) to 0.0.0.0/0.

Domain
Amazon Web Services (AWS)
Area
Networking
Automated / manual
Automated

Risk if it fails

Direct DB exposure leads to data theft.

A database reachable from the internet can be connected to directly. Attackers dump the whole table of customers, passwords or financials in minutes.

How Tess tests it

1 test — each concludes only on cited evidence.

No Security Group exposes database ports (3306/5432/1433/27017) to 0.0.0.0/0.

Automated
Procedure
Flag SG rules opening DB ports to the internet.

Read-only command 

aws ec2 describe-security-groups --query "SecurityGroups[?IpPermissions[?IpRanges[?CidrIp=='0.0.0.0/0']]].{Id:GroupId,Perms:IpPermissions}"

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-019 against your evidence?

Book a demo