- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.
Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks. When the RDS instance allows unrestricted access (0.0.0.0/0), everyone and everything on the Internet can establish a connection to your database and this can increase the opportunity for malicious activities such as brute force attacks, PostgreSQL injections, or DoS/DDoS attacks.
Note: Any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for the application.
Run describe-db-instances
command to list all RDS database names identifiers, available in the selected AWS region:
aws rds describe-db-instances --region <region-name> \
--query 'DBInstances[*].DBInstanceIdentifier'
The command output should return each database instance identifier.
Run modify-db-instance
command to modify the selected RDS instance configuration. Then use the following command to disable the Publicly Accessible
flag for the selected RDS instances. This command use the applyimmediately flag. If you want to avoid any downtime --no-apply-immediately
flag can be used:
aws rds modify-db-instance --region <region-name> \
--db-instance-identifier <db-name> \
--no-publicly-accessible \
--apply-immediately
The command output should reveal the Publicly Accessible configuration under pending values and should get applied at the specified time.
Update the Internet Gateway Destination from the AWS Console. Updating the Internet Gateway Destination from the CLI is not supported.
Repeat steps 1 to 5 for each RDS instance provisioned in the current region.
Change the AWS region by using the –region filter to repeat the process for other regions.