Amazon RDS: How can I limit the RDS instance access to AWS Lambda functions and TO My computer?

Question

I am developing a REST API with AWS Lambda, API Gateway and Amazon RDS(MySQL). I am using AWS Sam to do the configurations and all.

I created the database by visiting the amazon website's RDS section. It working fine as expected. I also managed to deploy the Lambda functions and get them connected with the database.

My database is set to Publicly Accessible = Yes

But, I noticed the database is open to the whole world. See the below images.

Security Group Rules

Inside the default security group

Well, this looks scary, I have no security.

In case of database security, what I need is this.

1. All of my Lambda functions can access the database
2. MySQL WorkBench can access the database
3. I test this locally, so I may need to run the lambda locally and connect to RDS

In case you need, below is my template.yaml file

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  abcd-restapi

  Sample SAM Template for abcd-restapi

# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
  Function:
    Timeout: 100

Resources:
  GetAllAccountTypesLambda:
    Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
    Properties:
      CodeUri: abcd-restapi
      Handler: com.abcd.dao.accountingtype.GetAllAccountTypesLambda::getAllAccountTypes
      Runtime: java11
      MemorySize: 1024
      Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
        Variables:
          PARAM1: VALUE
      Events:
        HelloWorld:
          Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
          Properties:
            Path: /accounttype
            Method: get

What should I do to remove the "whole world free access" and implement the access I mentioned above ?

-----------UPDATE----------

This is my security group now, after following John's advice. But Lambda cant access the database, MySQL workbench can

Lambda-SG security group

Answer 1

If your Amazon RDS database is in a public subnet and is set to Publicly Accessible = Yes, then you can use Security Groups to control access to the database server.

• Put a Security Group on the Lambda functions (Lambda-SG) with default "Allow All Outbound" settings
• Put a Security Group on the RDS database (DB-SG) with Inbound rules that permit access on port 3306 (MySQL) from Lambda-SG. That is, DB-SG specifically references Lambda-SG.
• Add your own public IP address to DB-SG Inbound rules to allow access on port 3306 (MySQL).

While a publicly-accessible database is not ideal from a security perspective, the Security Group will help you limit access to the server. The database server will also require authentication to connect to the database, which is an additional layer of security.

Private Subnet vs Public Subnet

From The layered defense approach to security - IBM Documentation:

Using a layered approach when you plan your Internet security strategy ensures that an attacker who penetrates one layer of defense will be stopped by a subsequent layer.

Resources in a private subnet are not accessible from the Internet. This is an important concept used in all corporate networks. It introduces additional hurdles for legitimate users (eg requiring VPN connections or connections via a Bastion server), but is worthwhile when considering the security of your resources.

The benefit of using a public subnet is purely to make access simpler for You. However, it also makes access simpler for unauthorized users by removing a layer of security. Yes, Security Groups are a firewall that can limit access, but it might be misconfigured or permit too much access. This is your choice to make, based on your risk appetite.

The more secure method would be to put your database in a private subnet. Then, if you need to access the database from outside the VPC you would need to use a VPN connection or use Port Forwarding through a Bastion server (with a private keypair used for authentication).