Public RDS instances

AWS-RDS-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for RDS instances with PubliclyAccessible set to true.

Why it matters

Publicly accessible RDS instances are reachable from any IP address on the internet when combined with permissive security groups. This is the most common database misconfiguration in AWS - Palo Alto Unit 42 found that 28% of cloud databases were publicly exposed in their 2024 Cloud Threat Report. Automated scanners like masscan discover exposed databases within hours and launch brute-force attacks against default credentials. The 2022 Flexbooker breach exposed 3.7 million customer records through a publicly accessible database. RDS instances should always be placed in private subnets with no internet-facing route, accessed only through application servers, VPN, or SSH tunnels.

Common causes

Public RDS instances are created when developers need database access from their local machines and set PubliclyAccessible to true as a quick workaround. CloudFormation and Terraform templates from tutorials often include publicly_accessible = true for simplicity, and teams copy them without modification. Database migrations from on-premises environments sometimes require temporary public access that becomes permanent when no one reverts the setting.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws rds modify-db-instance --db-instance-identifier DB_ID --no-publicly-accessible --apply-immediately --region REGION

Remediation: Terraform

resource "aws_db_instance" "db" {
  publicly_accessible = false
}