RDS Instance is Publicly Accessible

Overview

Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. When the RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.

Remediation:

To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.

See the RDS user guide for more information, and follow this guide to migrate the RDS instance to a VPC without direct internet access.

Vendor

AWS

Cloud Service

RDS

CIS AWS v1.5.0 2.3.3, RDS.2

References

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html, https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html, https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html, https://aws.amazon.com/rds/faqs/

Severity

Item Types

AWS::RDS::DBInstance

Overview​

Vendor​

Cloud Service​

Related Controls​

References​

Severity​

Item Types​