RDS DB instance is not publicly accessible

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > RDS DB instance is not publicly accessible

Metadata

Id: c09e3ca5-f08a-4717-9c87-3919c5e6d209

Cloud Provider: AWS

Platform: Ansible

Severity: Critical

Category: Insecure Configurations

Learn More

Provider Reference

Description

RDS instances must not be configured as publicly accessible. Exposing a database to the public internet increases the risk of unauthorized access and enables brute-force or credential-stuffing attacks.

In Ansible RDS tasks using the amazon.aws.rds_instance or rds_instance modules, ensure the publicly_accessible property is set to false. Tasks with publicly_accessible: true are flagged. If the property is omitted, the modules default to false, but explicitly setting it to false and placing instances in private subnets with restrictive security groups provides defense-in-depth.

Secure example:

- name: Create RDS instance (private)
  amazon.aws.rds_instance:
    db_instance_identifier: mydb
    engine: postgres
    instance_class: db.t3.medium
    publicly_accessible: false

Compliant Code Examples

- name: create RDS instance in default VPC and default subnet group02
  amazon.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: '{{ password }}'
    username: '{{ username }}'
    cluster_id: ansible-test-cluster
    publicly_accessible: false
- name: create RDS instance in default VPC and default subnet group03
  rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: '{{ password }}'
    username: '{{ username }}'
    cluster_id: ansible-test-cluster

Non-Compliant Code Examples

---
- name: community - Create a DB instance using the default AWS KMS encryption key
  amazon.aws.rds_instance:
    id: test-encrypted-db
    state: present
    engine: mariadb
    storage_encrypted: True
    db_instance_class: db.t2.medium
    username: "{{ username }}"
    password: "{{ password }}"
    allocated_storage: "{{ allocated_storage }}"
    publicly_accessible: Yes
- name: Create RDS instance publicly accessible
  amazon.aws.rds_instance:
    db_instance_identifier: new-database
    engine: mysql
    db_instance_class: db.t3.medium
    username: admin
    password: "{{ password }}"
    allocated_storage: 10
    publicly_accessible: true