RDS instance associated with a public subnet
This product is not supported for your selected
Datadog site. (
).
Id: 16732649-4ff6-4cd2-8746-e72c13fae4b8
Cloud Provider: AWS
Platform: Ansible
Severity: Critical
Category: Networking and Firewall
Learn More
Description
RDS instances must not be placed in public subnets because an internet-routable subnet exposes the database endpoint to the internet, increasing the risk of unauthorized access and data exfiltration. This rule inspects Ansible tasks that create RDS instances (resource types amazon.aws.rds_instance or rds_instance) and requires the subnet group property (db_subnet_group_name or subnet_group) to reference a subnet group composed only of private subnets.
It verifies the referenced subnet group tasks (amazon.aws.rds_subnet_group or rds_subnet_group) and the subnet tasks (amazon.aws.ec2_vpc_subnet or ec2_vpc_subnet). Any subnet with cidr equal to 0.0.0.0/0 or ipv6_cidr equal to ::/0 is treated as public and triggers a finding.
Resources that are missing the subnet-group property or that include any public subnet in the subnet group are flagged. Ensure subnet groups list subnets using private CIDR ranges and that registered subnet task names match the entries in the subnet group.
Secure example with private subnet CIDRs:
- name: Create private subnet
amazon.aws.ec2_vpc_subnet:
vpc_id: vpc-123
cidr: 10.0.1.0/24
register: private_subnet_a
- name: Create RDS subnet group using private subnets
amazon.aws.rds_subnet_group:
name: my-db-subnet-group
subnets:
- "{{ private_subnet_a }}"
- name: Create RDS instance in private subnet group
amazon.aws.rds_instance:
db_subnet_group_name: my-db-subnet-group
# other RDS properties...
Compliant Code Examples
- name: create minimal aurora instance in default VPC and default subnet group2
amazon.aws.rds_instance:
engine: aurora
db_instance_identifier: ansible-test-aurora-db-instance
instance_type: db.t2.small
password: "{{ password }}"
username: "{{ username }}"
cluster_id: ansible-test-cluster
db_subnet_group_name: my_subnet_group2
- name: Add or change a subnet group2
amazon.aws.rds_subnet_group:
state: present
name: my_subnet_group2
description: My Fancy Ex Parrot Subnet Group
subnets:
- "{{ subnet22.subnet.id }}"
register: my_subnet_group2
- name: Create subnet for database servers22
amazon.aws.ec2_vpc_subnet:
state: present
vpc_id: vpc-123456
cidr: 10.0.1.16/28
tags:
Name: Database Subnet
register: subnet22
Non-Compliant Code Examples
- name: create minimal aurora instance in default VPC and default subnet group
amazon.aws.rds_instance:
engine: aurora
db_instance_identifier: ansible-test-aurora-db-instance
instance_type: db.t2.small
password: "{{ password }}"
username: "{{ username }}"
cluster_id: ansible-test-cluster
db_subnet_group_name: my_subnet_group
- name: Add or change a subnet group
amazon.aws.rds_subnet_group:
state: present
name: my_subnet_group
description: My Fancy Ex Parrot Subnet Group
subnets:
- "{{ subnet1.subnet.id }}"
- "{{ subnet2.subnet.id }}"
register: my_subnet_group
- name: Create subnet for database servers
amazon.aws.ec2_vpc_subnet:
state: present
vpc_id: vpc-123456
cidr: 0.0.0.0/0
tags:
Name: Database Subnet
register: subnet1
- name: Create subnet for database servers2
amazon.aws.ec2_vpc_subnet:
state: present
vpc_id: vpc-123456
cidr: 10.0.1.16/28
tags:
Name: Database Subnet
register: subnet2
