---
title: RDS DB instance is not publicly accessible
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > RDS DB instance is not publicly accessible
---

# RDS DB instance is not publicly accessible

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `c09e3ca5-f08a-4717-9c87-3919c5e6d209`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** Critical

**Category:** Insecure Configurations

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/rds_instance_module.html#parameter-auto_minor_version_upgrade)

### Description{% #description %}

RDS instances must not be configured as publicly accessible. Exposing a database to the public internet increases the risk of unauthorized access and enables brute-force or credential-stuffing attacks.

In Ansible RDS tasks using the `amazon.aws.rds_instance` or `rds_instance` modules, ensure the `publicly_accessible` property is set to `false`. Tasks with `publicly_accessible: true` are flagged. If the property is omitted, the modules default to `false`, but explicitly setting it to `false` and placing instances in private subnets with restrictive security groups provides defense-in-depth.

Secure example:

```yaml
- name: Create RDS instance (private)
  amazon.aws.rds_instance:
    db_instance_identifier: mydb
    engine: postgres
    instance_class: db.t3.medium
    publicly_accessible: false
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: create RDS instance in default VPC and default subnet group02
  amazon.aws.rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: '{{ password }}'
    username: '{{ username }}'
    cluster_id: ansible-test-cluster
    publicly_accessible: false
- name: create RDS instance in default VPC and default subnet group03
  rds_instance:
    engine: aurora
    db_instance_identifier: ansible-test-aurora-db-instance
    instance_type: db.t2.small
    password: '{{ password }}'
    username: '{{ username }}'
    cluster_id: ansible-test-cluster
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: community - Create a DB instance using the default AWS KMS encryption key
  amazon.aws.rds_instance:
    id: test-encrypted-db
    state: present
    engine: mariadb
    storage_encrypted: True
    db_instance_class: db.t2.medium
    username: "{{ username }}"
    password: "{{ password }}"
    allocated_storage: "{{ allocated_storage }}"
    publicly_accessible: Yes
- name: Create RDS instance publicly accessible
  amazon.aws.rds_instance:
    db_instance_identifier: new-database
    engine: mysql
    db_instance_class: db.t3.medium
    username: admin
    password: "{{ password }}"
    allocated_storage: 10
    publicly_accessible: true
```