NEW: Vulnerability and Assessment Scanning for Your AWS Cloud Databases

Scuba-RDS-feature-header-image

Scuba is a free and easy-to-use tool that uncovers hidden security risks. Scuba is frequently updated with content from Imperva’s Defense Center researchers.

With Scuba you can:

  • Scan enterprise databases for vulnerabilities and misconfigurations
  • Identify risks to your databases
  • Get recommendations on how to mitigate identified issues

Available for Windows, Mac, and Linux, Scuba offers over 2,300 assessment tests for Oracle, Microsoft SQL, SAP Sybase, IBM DB2 and MySQL.

  Available now – scanning of Amazon Web Services (AWS) databases

The challenges of applying security standards to cloud databases

Today, with cloud adoption growing, networks are becoming complicated and organizations are facing higher database security risks. Most organizations deploy their computing resources in a hybrid architecture – they have databases both in local networks and in the cloud.

Scuba can scan a cloud database with direct access to the database or without it (using an SSH Tunnel – see below).

Challenge #1 – Access to cloud databases

A CISO or a security admin needs access to cloud accounts containing databases. Sometimes organizations will use multiple cloud vendors. However, databases should not be exposed to the internet nor the company network which makes scanning a cloud database for vulnerabilities a problem. The cloud option added to Scuba will help you overcome this problem, regardless of whether your databases are hosted on AWS EC2 or AWS RDS.

Challenge #2 – Managed cloud databases are a different beast

In many cases, cloud databases are managed by the cloud vendor. For example, AWS offers RDS (Relational Database Service), which is a managed service for databases. Using a managed service makes it easier to install and maintain a database. However, security assessment can be more challenging in such databases, since they are sealed by the vendors. For example it might not be possible to access a system schema to determine if a database is vulnerable or not.

Now adjustments have now been made in the security content of Scuba, making it possible to scan RDS databases.

Scuba release for cloud databases – version 3.0.2.13

How to scan RDS (Amazon Relational Database Service) instances

Scuba supports the following databases:

  • Oracle
  • Microsoft SQL
  • MySQL

We made required permission adjustments to the Scuba user guide to include RDS scanning. Before you scan an RDS instance, please make sure to create a dedicated user for the scan according to the guide.

TIP: If your scan resulted in CVE vulnerabilities, it means your database is missing a security patch. We recommend that you enable the automatic minor version upgrade, as follows:

Figure 1: How to enable automatic minor version upgrade of an RDS instance

 

Scanning a cloud database without an SSH Tunnel (direct access)

A cloud database can be configured with the following network access options, without the need of an SSH tunnel:

  • Public address – everyone can access the DB (not recommended) as in Figure 2
  • Network peering (VPN to VPC peering) – a PC connected to the company network can access the database
  • Run Scuba on a cloud instance – remotely connect to a remote instance as in Figure 3 (for example by using Windows remote desktop connection. See AWS documentation for more info)

Figure 2: Scuba access to an RDS instance with public IP address (not recommended)

Figure 3: Scuba access to an RDS instance using Windows Remote Desktop

 

 

Scanning a cloud database using an SSH Tunnel

If the database is not accessible by the client running Scuba you can use the “Cloud (SSH Tunnel)” option added to Scuba (Figure 5).

You can scan the database using a Bastion server which you may know as a Jump server that is especially designed to withstand attacks. You can use an existing Bastion server, or create a dedicated one for the scan. The scan will be done using an SSH (secure shell) tunnel, through the Bastion server, to the scanned database (Figure 4).

Figure 4: Scuba access to an RDS instance using a Bastion server

 

You can run a scan with a single click by entering:

  • The Bastion details, including SSH credentials
  • The database credentials

As follows:

Figure 5: New cloud scanning configuration in Scuba

For more info on how to use SSH tunnel or create your own Bastion server please refer to the Scuba user guide.

Summary

The adoption of cloud makes it harder to apply security standards on databases and is often a lower priority for security teams. Cloud databases should not be ignored since they are as vulnerable as any other database. Scuba can now help you scan your cloud databases to identify and mitigate your risks.

For more information please contact us @ support-scuba@imperva.com.