For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-rds-associated-with-public-subnet.md. A documentation index is available at /llms.txt.

RDS associated with public subnet

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-aws-rds-associated-with-public-subnet

Provider: AWS

Platform: Terraform

Severity: Critical

Category: Networking and Firewall

Learn More

Description

Amazon RDS instances should not be associated with public subnets to prevent potential unauthorized access from the internet. When an RDS instance is placed in a subnet group containing a public subnet (with a CIDR such as 0.0.0.0/0), it creates an attack vector for malicious actors to exploit your database.

Instead, RDS instances should only be deployed in private subnets with specific CIDR blocks. In the secure example, subnets use specific CIDR blocks such as 172.2.0.0/24 and 176.2.0.0/24, while the vulnerable example uses 0.0.0.0/0 which allows traffic from any IP address. Properly securing your database network configuration helps prevent data breaches and unauthorized access to sensitive information.

Compliant Code Examples

resource "aws_db_instance" "negative1" {
  allocated_storage    = 10
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t3.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  parameter_group_name = "negative1.mysql5.7"
  skip_final_snapshot  = true
  db_subnet_group_name = aws_db_subnet_group.subnetGroup3.name
}

resource "aws_db_subnet_group" "subnetGroup3" {
  name       = "main"
  subnet_ids = [aws_subnet.frontend3.id, aws_subnet.backend3.id]

  tags = {
    Name = "My DB subnet group"
  }
}

resource "aws_subnet" "frontend3" {
  vpc_id     = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id
  cidr_block = "172.2.0.0/24"
}


resource "aws_subnet" "backend3" {
  vpc_id     = aws_vpc_ipv4_cidr_block_association.secondary_cidr2.vpc_id
  cidr_block = "176.2.0.0/24"
}

Non-Compliant Code Examples

resource "aws_db_instance" "positive1" {
  allocated_storage    = 10
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t3.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  parameter_group_name = "positive1.mysql5.7"
  skip_final_snapshot  = true
  db_subnet_group_name = aws_db_subnet_group.subnetGroup.name
}

resource "aws_db_subnet_group" "subnetGroup" {
  name       = "main"
  subnet_ids = [aws_subnet.frontend.id, aws_subnet.backend.id]

  tags = {
    Name = "My DB subnet group"
  }
}

resource "aws_subnet" "frontend" {
  vpc_id     = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id
  cidr_block = "172.2.0.0/24"
}


resource "aws_subnet" "backend" {
  vpc_id     = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id
  cidr_block = "0.0.0.0/0"
}

resource "aws_db_instance" "positive2" {
  allocated_storage    = 10
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t3.micro"
  name                 = "mydb"
  username             = "foo"
  password             = "foobarbaz"
  parameter_group_name = "positive2.mysql5.7"
  skip_final_snapshot  = true
  db_subnet_group_name = "subnetGroup2"
}

resource "aws_db_subnet_group" "subnetGroup2" {
  name       = "main"
  subnet_ids = [aws_subnet.frontend2.id, aws_subnet.backend2.id]

  tags = {
    Name = "My DB subnet group"
  }
}

resource "aws_subnet" "frontend2" {
  vpc_id     = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id
  cidr_block = "172.2.0.0/24"
}


resource "aws_subnet" "backend2" {
  vpc_id     = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id
  cidr_block = "0.0.0.0/0"
}