<  Back to rules search

RDS instance is not publicly accessible



Secure your RDS instance, so it is not publicly accessible.


Unrestricted access to your RDS instance allows everyone on the internet to establish a connection with your database. This can lead to brute-force, DoS/DDoS, or SQL injection attacks.


From the command line

  1. Run the modify-db-instance command to make the instance not publicly accessible.

    aws rds modify-db-instance
        --region INSERT_DB_INSTANCE_REGION \
        --db-instance-identifier INSERT_DB_INSTANCE_NAME \
        --no-publicly-accessible \
  2. Run the revoke-security-group-ingress command to block any IPv4 address connecting to port 3306.

    aws ec2 revoke-security-group-ingress
        --region INSERT_DB_INSTANCE_REGION \
        --group-id INSERT_SECURITY_GROUP_ID \
        --protocol tcp \
        --port 3306 \
  3. For IPv6 you can use the same command from step 2 but use the --ip-permissions option instead. Reference this aws-cli documentation for more information.

  4. After removing the or ::/0 cidr ranges from ingress you need to add in better cidr ranges using the authorize-security-group-ingress command.

    aws ec2 authorize-security-group-ingress
        --group-id INSERT_SECURITY_GROUP_ID
        --protocol tcp
        --port 3306