Relational Database Services (RDS) offered by AWS can make hosting a DB much easier but present some new challenges when trying to perform automated benchmark or compliance scans. When it comes to the continuous monitoring requirement for FedRAMP, many of our clients run into issues when setting up their Nessus scanner. One of the most consistent reasons we hear is “I can’t scan RDS, there’s no actual host there, just a database in the cloud.” Indeed, this is true, if you scan your AWS subnet that holds the RDS instance endpoints you’ll return zero live hosts. However, not all is lost. Today we’ll review the steps needed to configure a Nessus policy that will run compliance benchmarks against an RDS database.
You’ll need two pieces of information before configuring the Nessus scan, the RDS endpoint URL or IP address and the master database username/password. The first piece can be found in your AWS console under RDS -> Databases -> Database_name. The second should be stored in a trusted password manager and hopefully not in an Excel sheet on your desktop.
With this information in-hand, head over to your Nessus management page and configure a new “Advanced Scan” policy.
The first thing we need to do is start stripping out the “vulnerability” scan part of the policy. Under settings go to “Discovery” -> “Host Discovery” you want to DISABLE ping. This is the number one issue we see with CSPs and their scans. RDS instances won’t respond to an ICMP ping even if a security group that allows it has been attached to the instance. Because of this, Nessus will ping then skip over the IP by default when it doesn’t respond. We’re not setting up a discovery scan, so disable this.
Next, browse to the “Port Scanning” page right below the “Host Discovery” page and modify the port scan range. Pull the default value of “default” and instead substitute whatever port your database is running on (default values are 3306 for MySQL, 1433 for MSSQL, 5432 for Postgres and 1521 for Oracle). Again, this isn’t a vulnerability or discovery scan but a targeted compliance scan. No need to let Nessus scan another several thousand ports that won’t be open.
Next, we’ll configure our scan credentials and benchmarks. Add your username and password under the “Credentials” tab.
Under the “Compliance” tab, pick your benchmark. Today we’ll be using the MySQL 5.7 CIS Level 1 but any of the CIS or STIG benchmarks will fire against RDS hosts.
And you’re done! Save the policy and head over to create a new scan. Nothing special on this side, simply pick your policy, add your endpoint addresses and scan away!