<  Back to rules search

RDS instance is not publicly accessible

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.


Secure your RDS instance, so it is not publicly accessible.


Unrestricted access to your RDS instance allows everyone on the internet to establish a connection with your database. This can lead to brute-force, DoS/DDoS, or SQL injection attacks.


From the command line

  1. Run the modify-db-instance command to make the instance not publicly accessible.

    aws rds modify-db-instance
        --region INSERT_DB_INSTANCE_REGION \
        --db-instance-identifier INSERT_DB_INSTANCE_NAME \
        --no-publicly-accessible \
  2. Run the revoke-security-group-ingress command to block any IPv4 address connecting to port 3306.

    aws ec2 revoke-security-group-ingress
        --region INSERT_DB_INSTANCE_REGION \
        --group-id INSERT_SECURITY_GROUP_ID \
        --protocol tcp \
        --port 3306 \
  3. For IPv6 you can use the same command from step 2 but use the --ip-permissions option instead. Reference this aws-cli documentation for more information.

  4. After removing the or ::/0 cidr ranges from ingress you need to add in better cidr ranges using the authorize-security-group-ingress command.

    aws ec2 authorize-security-group-ingress
        --group-id INSERT_SECURITY_GROUP_ID
        --protocol tcp
        --port 3306