Skip to main content

Triage AWS RDS DB Instances should not be publicly accessible PUBLIC_ACCESS_NOT_DISABLED

  1. Configure AWS RDS DB Instances should not be publicly accessible
  2. Use Case for AWS RDS DB Instances should not be publicly accessible
  3. Triage Guides by Violation Type
    1. Triage AWS RDS DB Instances should not be publicly accessible PUBLIC_ACCESS_NOT_DISABLED

Why should I care about fixing this issue?

To get started on understanding why you should be cautious about enabling RDS public access, read our use-case page.

What is the data source for this policy?

This policy relies on a call to rds:DescribeDBInstances. If the response of the property PubliclyAccessible is true, then a violation is opened by the policy.

Does this policy scan on a schedule? If so, when?

No, it's triggered when changes to matching resources are detected.

How do I disable public access using AWS Console?

See the console instructions on Modifying an Amazon RDS DB instance.

In the Connectivity section, expand Additional configuration and select Not publicly accessible.

How do I disable public access using CloudFormation?

  1. On the AWS::RDS::DBInstance set PubliclyAccessible to false.

Here is a CloudFormation template example:

ExampleDBInstance:
Type: AWS::RDS::DBInstance
Properties:
# ...
PubliclyAccessible: false

How do I disable public access using Terraform?

  1. On the aws_db_instance set publicly_accessible to false.
resource "aws_db_instance" "example_db_instance" {
# ...
publicly_accessible = false
}

How do I disable public access using AWS CLI?

See the CLI instructions on Modifying an Amazon RDS DB instance.

Use modify-db-instance with the --no-publicly-accessible flag.

 aws \
rds modify-db-instance \
--db-instance-identifier database-1 \
+ --no-publicly-accessible

When is it appropriate to mark this violation as "by design"?

To get started on understanding why you should be cautious about enabling RDS public access, read our use-case page.