Leadline Inc.Leadline Inc.
Control Requirements

LS-05: Direct Database Access Restrictions

Restrict direct access to in-scope databases based on job function

Control Description

Direct access to the in-scope databases is restricted to appropriate users based on job function.

Plain Meaning

This control requires that only users who need direct database access for their job responsibilities can access the databases. This prevents unauthorized access and ensures that database access is limited to those who actually need it to perform their work.

AWS RDS Database Instance Configuration

Database Hosting Strategy

Our production databases are hosted in private subnets within our AWS VPC architecture, ensuring maximum security and access control. This approach provides multiple layers of protection against unauthorized access.

Network Isolation

  • Private Subnets: All production databases are deployed in private subnets (10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24)
  • No Public Access: Database instances are configured with no public IP addresses
  • Private Subnet Placement: Databases are placed in private subnets with no direct internet connectivity
  • Security Group Restrictions: Strict security groups limit access to only authorized resources

VPC Architecture Integration

Our database infrastructure integrates with the VPC architecture detailed in COM-06, utilizing:

  • Private Subnets: Dedicated subnets for database instances
  • NAT Gateway: Outbound-only internet access for security updates
  • No Internet Gateway: Complete isolation from direct internet access
  • Route Table Isolation: Separate route tables for database subnets

Access Control Implementation

Single Person Access Policy

We implement a single person access policy for direct database access, ensuring that only one authorized individual has the ability to connect directly to production databases.

Database Security Configuration

RDS Security Settings

  • Publicly Accessible: Disabled
  • VPC Security Groups: Restrictive access rules
  • Subnet Group: Isolated subnet placement
  • Encryption: Enabled for all database instances
  • Backup Encryption: All backups encrypted with KMS keys

Network Security

  • No Public IP: Database instances have no public IP addresses
  • Private DNS: Internal DNS resolution only
  • VPN Access: Database access requires VPC connection
  • Bastion Host: Secure jump host for database access when needed

Access Activity Monitoring

CloudTrail Event History

  • LS-04: External user account management
  • LS-14: Administrative access restrictions
  • LS-22: Manager approval for access requests

LS-04: External User Account Management

Approval process for external user account changes or user entity responsibility for access controls

LS-06: Password Vault for Administrator Accounts

Password vault governance for administrator accounts with access logging