I'm looking to perform a Nessus scan on an RDS instance that resides in a different AWS account, specifically via PrivateLink. I want to avoid using Transit Gateway to minimize the surface area between different environments. My initial plan was to set up the following: Nessus on EC2 -> VPC Endpoint -> PrivateLink to the RDS account -> VPC Endpoint Service -> NLB -> RDS. However, I learned that RDS can't be targeted by an NLB. Would using an RDS Proxy resolve this issue? If so, would the setup be like this: Nessus -> VPC Endpoint -> PrivateLink to the RDS account -> VPC Endpoint Service -> NLB -> RDS Proxy -> RDS?
4 Answers
You might want to check out this resource: https://aws.amazon.com/blogs/database/access-amazon-rds-across-aws-accounts-using-aws-privatelink-network-load-balancer-and-amazon-rds-proxy/. It outlines how to securely access RDS across accounts using PrivateLink.
It's interesting that you're planning a vulnerability scan on RDS since it's managed by AWS already. Have you considered if that's necessary? AWS usually handles those security measures for you.
For your setup, definitely consider using an RDS Proxy to facilitate your scanning. It could help route the traffic properly. Also, be cautious and make sure this aligns with your compliance requirements since you’re scanning AWS-managed infrastructure.
Creating an NLB and a PrivateLink just for a Nessus scan on an AWS-managed RDS resource seems pretty extreme, but I kinda dig it! If you want to go ahead, it's worth checking AWS documentation, especially their recent blog posts on this topic.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads