For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-rds-associated-with-public-subnet.md. A documentation index is available at /llms.txt.

RDS associated with a public subnet

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-rds-associated-with-public-subnet

Provider: AWS

Platform: CloudFormation

Severity: Critical

Category: Networking and Firewall

Learn More

Description

RDS instances must not be deployed into public subnets because public routability exposes the database to direct internet access, increasing the risk of unauthorized access, brute-force attacks, and data exfiltration. In AWS CloudFormation, verify the AWS::RDS::DBInstance DBSubnetGroupName reference and ensure the referenced AWS::RDS::DBSubnetGroup SubnetIds do not include any AWS::EC2::Subnet with unrestricted CIDRs. Specifically, flag subnets where CidrBlock equals 0.0.0.0/0 or Ipv6CidrBlock equals ::/0. Database subnet groups containing such subnets will be reported as insecure.

Secure example with private subnets:

MyPrivateSubnet1:
  Type: AWS::EC2::Subnet
  Properties:
    CidrBlock: 10.0.1.0/24
    VpcId: vpc-12345

MyPrivateSubnet2:
  Type: AWS::EC2::Subnet
  Properties:
    CidrBlock: 10.0.2.0/24
    VpcId: vpc-12345

MyDBSubnetGroup:
  Type: AWS::RDS::DBSubnetGroup
  Properties:
    DBSubnetGroupDescription: "Private subnets for RDS"
    SubnetIds:
      - !Ref MyPrivateSubnet1
      - !Ref MyPrivateSubnet2

MyDBInstance:
  Type: AWS::RDS::DBInstance
  Properties:
    DBSubnetGroupName: !Ref MyDBSubnetGroup
    Engine: mysql
    DBInstanceClass: db.t3.medium

Compliant Code Examples

Resources:
 Negative1:
  Type: AWS::RDS::DBInstance
  Properties:
    AllocatedStorage: '5'
    DBInstanceClass: db.t2.small
    Engine: oracle-ee
    LicenseModel: bring-your-own-license
    MasterUsername: master
    MasterUserPassword: SecretPassword01
    BackupRetentionPeriod: 7
    DBSubnetGroupName:
       Ref: myDBSubnetGroup0
  DeletionPolicy: Snapshot
 myDBSubnetGroup0: 
    Properties: 
      DBSubnetGroupDescription: description
      SubnetIds: 
        - Ref: mySubnet10
      Tags: 
        - 
          Key: String
          Value: String
    Type: "AWS::RDS::DBSubnetGroup"
 mySubnet10:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId:
        Ref: myVPC
      CidrBlock: 10.0.0.0/24
      AvailabilityZone: "us-east-1a"
      Tags:
      - Key: stack
        Value: production

{
  "Resources": {
    "Negative1": {
      "DeletionPolicy": "Snapshot",
      "Properties": {
        "AllocatedStorage": "5",
        "BackupRetentionPeriod": 7,
        "DBInstanceClass": "db.t2.small",
        "DBSubnetGroupName": {
          "Ref": "myDBSubnetGroup0"
        },
        "Engine": "oracle-ee",
        "LicenseModel": "bring-your-own-license",
        "MasterUserPassword": "SecretPassword01",
        "MasterUsername": "master"
      },
      "Type": "AWS::RDS::DBInstance"
    },
    "myDBSubnetGroup0": {
      "Properties": {
        "DBSubnetGroupDescription": "description",
        "SubnetIds": [
          {
            "Ref": "mySubnet10"
          }
        ],
        "Tags": [
          {
            "Key": "String",
            "Value": "String"
          }
        ]
      },
      "Type": "AWS::RDS::DBSubnetGroup"
    },
    "mySubnet10": {
      "Properties": {
        "AvailabilityZone": "us-east-1a",
        "CidrBlock": "10.0.0.0/24",
        "Tags": [
          {
            "Key": "stack",
            "Value": "production"
          }
        ],
        "VpcId": {
          "Ref": "myVPC"
        }
      },
      "Type": "AWS::EC2::Subnet"
    }
  }
}

Non-Compliant Code Examples

Resources:
 Positive1:
  Type: AWS::RDS::DBInstance
  Properties:
    AllocatedStorage: '5'
    DBInstanceClass: db.t2.small
    Engine: oracle-ee
    LicenseModel: bring-your-own-license
    MasterUsername: master
    MasterUserPassword: SecretPassword01
    BackupRetentionPeriod: 7
    DBSubnetGroupName:
       Ref: myDBSubnetGroup
  DeletionPolicy: Snapshot
 myDBSubnetGroup: 
    Properties: 
      DBSubnetGroupDescription: description
      SubnetIds: 
        - Ref: mySubnet1
        - Ref: mySubnet2
      Tags: 
        - 
          Key: String
          Value: String
    Type: "AWS::RDS::DBSubnetGroup"
 mySubnet1:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId:
        Ref: myVPC
      CidrBlock: 10.0.0.0/24
      AvailabilityZone: "us-east-1a"
      Tags:
      - Key: stack
        Value: production
 mySubnet2:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId:
        Ref: myVPC
      CidrBlock: 0.0.0.0/0
      AvailabilityZone: "us-east-1a"
      Tags:
      - Key: stack
        Value: production

{
  "Resources": {
    "Positive1": {
      "DeletionPolicy": "Snapshot",
      "Properties": {
        "AllocatedStorage": "5",
        "BackupRetentionPeriod": 7,
        "DBInstanceClass": "db.t2.small",
        "DBSubnetGroupName": {
          "Ref": "myDBSubnetGroup"
        },
        "Engine": "oracle-ee",
        "LicenseModel": "bring-your-own-license",
        "MasterUserPassword": "SecretPassword01",
        "MasterUsername": "master"
      },
      "Type": "AWS::RDS::DBInstance"
    },
    "myDBSubnetGroup": {
      "Properties": {
        "DBSubnetGroupDescription": "description",
        "SubnetIds": [
          {
            "Ref": "mySubnet1"
          },
          {
            "Ref": "mySubnet2"
          }
        ],
        "Tags": [
          {
            "Key": "String",
            "Value": "String"
          }
        ]
      },
      "Type": "AWS::RDS::DBSubnetGroup"
    },
    "mySubnet1": {
      "Properties": {
        "AvailabilityZone": "us-east-1a",
        "CidrBlock": "10.0.0.0/24",
        "Tags": [
          {
            "Key": "stack",
            "Value": "production"
          }
        ],
        "VpcId": {
          "Ref": "myVPC"
        }
      },
      "Type": "AWS::EC2::Subnet"
    },
    "mySubnet2": {
      "Properties": {
        "AvailabilityZone": "us-east-1a",
        "CidrBlock": "0.0.0.0/0",
        "Tags": [
          {
            "Key": "stack",
            "Value": "production"
          }
        ],
        "VpcId": {
          "Ref": "myVPC"
        }
      },
      "Type": "AWS::EC2::Subnet"
    }
  }
}