RDS instance ‘Publicly Accessible’ should not be enabled

Description

Publicly accessible RDS instances allow any AWS user or anonymous user access to the data in the database. RDS instances should not be publicly accessible.

Remediation Steps

AWS Console

  • Navigate to RDS.

  • In the left navigation, select Databases.

  • Select RDS instance that you want to edit.

  • In Connectivity & security, within Public accessibility section, select No.

  • Click Continue.

  • In Scheduling of modifications, select whether you want to apply the modifications during the the next scheduled maintenance window or apply immediately.

  • Click Modify DB Instance.

AWS CLI

  • Disable ‘Publicly Accessible’ for the RDS instance- for Linux, macOS, or Unix:

    • aws rds modify-db-instance \

    • --db-instance-identifier mydbinstance \

    • --no-publicly-accessible \

    • --no-apply-immediately

  • Disable ‘Publicly Accessible’ for the RDS instance- for Windows

    • aws rds modify-db-instance ^

    • --db-instance-identifier mydbinstance ^

    • --no-publicly-accessible ^

    • --no-apply-immediately

Terraform

  • Ensure that the aws_db_instance publicly_accessible field is set to “false”.

Example Configuration

resource "aws_db_instance" "example" {
  publicly_accessible = false
  # other required fields here
}