For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-rds-db-instance-publicly-accessible.md.
A documentation index is available at /llms.txt.
RDS DB instances must not be publicly accessible because exposing a database endpoint to the internet increases the attack surface and can enable unauthorized access, credential-guessing attacks, and data exfiltration. In AWS CloudFormation, the PubliclyAccessible property on AWS::RDS::DBInstance resources must be set to false. Resources with PubliclyAccessible set to true will be flagged. If the property is omitted, ensure the instance is deployed to private subnets and protected by restrictive security groups so it cannot receive a public IP or accept traffic from the internet.
AWSTemplateFormatVersion:2010-09-09Description:>- Description": "AWS CloudFormation Sample Template for creating an Amazon RDS DB instance:
Sample template showing how to create a DB instance with Enhanced Monitoring enabled.
**WARNING** This template creates an RDS DB instance. You will be billed for the AWS
resources used if you create a stack from this template.Parameters:DBInstanceID:Default:mydbinstanceDescription:My database instanceType:StringMinLength:'1'MaxLength:'63'AllowedPattern:'[a-zA-Z][a-zA-Z0-9]*'ConstraintDescription:>- Must begin with a letter and must not end with a hyphen or contain two
consecutive hyphens.DBName:Default:mydbDescription:My databaseType:StringMinLength:'1'MaxLength:'64'AllowedPattern:'[a-zA-Z][a-zA-Z0-9]*'ConstraintDescription:Must begin with a letter and contain only alphanumeric characters.DBInstanceClass:Default:db.m5.largeDescription:DB instance classType:StringConstraintDescription:Must select a valid DB instance type.DBAllocatedStorage:Default:'50'Description:The size of the database (GiB)Type:NumberMinValue:'5'MaxValue:'1024'ConstraintDescription:must be between 20 and 65536 GiB.DBUsername:NoEcho:'true'Description:Username for MySQL database accessType:StringMinLength:'1'MaxLength:'16'AllowedPattern:'[a-zA-Z][a-zA-Z0-9]*'ConstraintDescription:must begin with a letter and contain only alphanumeric characters.DBPassword:NoEcho:'true'Description:Password MySQL database accessType:StringMinLength:'8'MaxLength:'41'AllowedPattern:'[a-zA-Z0-9]*'ConstraintDescription:must contain only alphanumeric characters.Resources:MyDB:Type:'AWS::RDS::DBInstance'Properties:DBInstanceIdentifier:!Ref DBInstanceIDDBName:!Ref DBNameDBInstanceClass:!Ref DBInstanceClassAllocatedStorage:!Ref DBAllocatedStorageEngine:MySQLEngineVersion:8.0.16MasterUsername:!Ref DBUsernameMasterUserPassword:!Ref DBPasswordMonitoringInterval:'60'MonitoringRoleArn:'arn:aws:iam::123456789012:role/rds-monitoring-role'PubliclyAccessible:false
{"Resources":{"MyDB":{"Type":"AWS::RDS::DBInstance","Properties":{"AllocatedStorage":"DBAllocatedStorage","EngineVersion":"8.0.16","MasterUserPassword":"DBPassword","MonitoringInterval":"60","DBInstanceIdentifier":"DBInstanceID","DBName":"DBName","DBInstanceClass":"DBInstanceClass","Engine":"MySQL","MasterUsername":"DBUsername","MonitoringRoleArn":"arn:aws:iam::123456789012:role/rds-monitoring-role","PubliclyAccessible":false}}},"AWSTemplateFormatVersion":"2010-09-09T00:00:00Z","Description":"Description\": \"AWS CloudFormation Sample Template for creating an Amazon RDS DB instance: Sample template showing how to create a DB instance with Enhanced Monitoring enabled. **WARNING** This template creates an RDS DB instance. You will be billed for the AWS resources used if you create a stack from this template.","Parameters":{"DBPassword":{"NoEcho":"true","Description":"Password MySQL database access","Type":"String","MinLength":"8","MaxLength":"41","AllowedPattern":"[a-zA-Z0-9]*","ConstraintDescription":"must contain only alphanumeric characters."},"DBInstanceID":{"MinLength":"1","MaxLength":"63","AllowedPattern":"[a-zA-Z][a-zA-Z0-9]*","ConstraintDescription":"Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens.","Default":"mydbinstance","Description":"My database instance","Type":"String"},"DBName":{"Default":"mydb","Description":"My database","Type":"String","MinLength":"1","MaxLength":"64","AllowedPattern":"[a-zA-Z][a-zA-Z0-9]*","ConstraintDescription":"Must begin with a letter and contain only alphanumeric characters."},"DBInstanceClass":{"Default":"db.m5.large","Description":"DB instance class","Type":"String","ConstraintDescription":"Must select a valid DB instance type."},"DBAllocatedStorage":{"Description":"The size of the database (GiB)","Type":"Number","MinValue":"5","MaxValue":"1024","ConstraintDescription":"must be between 20 and 65536 GiB.","Default":"50"},"DBUsername":{"MinLength":"1","MaxLength":"16","AllowedPattern":"[a-zA-Z][a-zA-Z0-9]*","ConstraintDescription":"must begin with a letter and contain only alphanumeric characters.","NoEcho":"true","Description":"Username for MySQL database access","Type":"String"}}}
Non-Compliant Code Examples
#this is a problematic code where the query should report a result(s)AWSTemplateFormatVersion:2010-09-09Description:>- Description": "AWS CloudFormation Sample Template for creating an Amazon RDS DB instance:
Sample template showing how to create a DB instance with Enhanced Monitoring enabled.
**WARNING** This template creates an RDS DB instance. You will be billed for the AWS
resources used if you create a stack from this template.Parameters:DBInstanceID:Default:mydbinstanceDescription:My database instanceType:StringMinLength:'1'MaxLength:'63'AllowedPattern:'[a-zA-Z][a-zA-Z0-9]*'ConstraintDescription:>- Must begin with a letter and must not end with a hyphen or contain two
consecutive hyphens.DBName:Default:mydbDescription:My databaseType:StringMinLength:'1'MaxLength:'64'AllowedPattern:'[a-zA-Z][a-zA-Z0-9]*'ConstraintDescription:Must begin with a letter and contain only alphanumeric characters.DBInstanceClass:Default:db.m5.largeDescription:DB instance classType:StringConstraintDescription:Must select a valid DB instance type.DBAllocatedStorage:Default:'50'Description:The size of the database (GiB)Type:NumberMinValue:'5'MaxValue:'1024'ConstraintDescription:must be between 20 and 65536 GiB.DBUsername:NoEcho:'true'Description:Username for MySQL database accessType:StringMinLength:'1'MaxLength:'16'AllowedPattern:'[a-zA-Z][a-zA-Z0-9]*'ConstraintDescription:must begin with a letter and contain only alphanumeric characters.DBPassword:NoEcho:'true'Description:Password MySQL database accessType:StringMinLength:'8'MaxLength:'41'AllowedPattern:'[a-zA-Z0-9]*'ConstraintDescription:must contain only alphanumeric characters.Resources:MyDB:Type:'AWS::RDS::DBInstance'Properties:DBInstanceIdentifier:!Ref DBInstanceIDDBName:!Ref DBNameDBInstanceClass:!Ref DBInstanceClassAllocatedStorage:!Ref DBAllocatedStorageEngine:MySQLEngineVersion:8.0.16MasterUsername:!Ref DBUsernameMasterUserPassword:!Ref DBPasswordMonitoringInterval:'60'MonitoringRoleArn:'arn:aws:iam::123456789012:role/rds-monitoring-role'PubliclyAccessible:true
{"Description":"Description\": \"AWS CloudFormation Sample Template for creating an Amazon RDS DB instance: Sample template showing how to create a DB instance with Enhanced Monitoring enabled. **WARNING** This template creates an RDS DB instance. You will be billed for the AWS resources used if you create a stack from this template.","Parameters":{"DBInstanceClass":{"Description":"DB instance class","Type":"String","ConstraintDescription":"Must select a valid DB instance type.","Default":"db.m5.large"},"DBAllocatedStorage":{"ConstraintDescription":"must be between 20 and 65536 GiB.","Default":"50","Description":"The size of the database (GiB)","Type":"Number","MinValue":"5","MaxValue":"1024"},"DBUsername":{"MinLength":"1","MaxLength":"16","AllowedPattern":"[a-zA-Z][a-zA-Z0-9]*","ConstraintDescription":"must begin with a letter and contain only alphanumeric characters.","NoEcho":"true","Description":"Username for MySQL database access","Type":"String"},"DBPassword":{"Type":"String","MinLength":"8","MaxLength":"41","AllowedPattern":"[a-zA-Z0-9]*","ConstraintDescription":"must contain only alphanumeric characters.","NoEcho":"true","Description":"Password MySQL database access"},"DBInstanceID":{"Default":"mydbinstance","Description":"My database instance","Type":"String","MinLength":"1","MaxLength":"63","AllowedPattern":"[a-zA-Z][a-zA-Z0-9]*","ConstraintDescription":"Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens."},"DBName":{"ConstraintDescription":"Must begin with a letter and contain only alphanumeric characters.","Default":"mydb","Description":"My database","Type":"String","MinLength":"1","MaxLength":"64","AllowedPattern":"[a-zA-Z][a-zA-Z0-9]*"}},"Resources":{"MyDB":{"Type":"AWS::RDS::DBInstance","Properties":{"MasterUsername":"DBUsername","MasterUserPassword":"DBPassword","PubliclyAccessible":true,"DBInstanceIdentifier":"DBInstanceID","DBName":"DBName","AllocatedStorage":"DBAllocatedStorage","MonitoringInterval":"60","MonitoringRoleArn":"arn:aws:iam::123456789012:role/rds-monitoring-role","DBInstanceClass":"DBInstanceClass","Engine":"MySQL","EngineVersion":"8.0.16"}}},"AWSTemplateFormatVersion":"2010-09-09T00:00:00Z"}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
