Ensure AWS RDS database instance is not publicly accessible

Error: AWS RDS database instance is publicly accessible

Bridgecrew Policy ID: BC_AWS_PUBLIC_2
Checkov Check ID: CKV_AWS_17
Severity: HIGH

AWS RDS database instance is publicly accessible

Description

AWS RDS is a managed DB service enabling quick deployment and management of MySQL, MariaDB, PostgreSQL, Oracle, and Microsoft SQL Server DB engines. RDS native encryption helps protect your applications deployed in the cloud and easily fulfills compliance requirements for data-at-rest encryption.

We recommend encrypting RDS functions as an additional layer of data to prevent unauthorized access to its storage.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon RDS console.
  3. On the navigation pane, click Snapshots.
  4. Select the snapshot to encrypt.
  5. Navigate to Snapshot Actions, select Copy Snapshot.
  6. Select your Destination Region, then enter your New DB Snapshot Identifier.
  7. Set Enable Encryption to Yes.
  8. Select your Master Key from the list, then select Copy Snapshot.

Fix - Buildtime

Terraform

  • Resource: aws_db_instance
  • Argument: publicly_accessible
resource "aws_db_instance" "default" {
  ...
+ publicly_accessible   = true
}

CloudFormation

  • Resource: AWS::RDS::DBInstance
  • Argument: Properties.PubliclyAccessible
Type: 'AWS::RDS::DBInstance'
    Properties:
      ...
+     PubliclyAccessible: false

Did this page help you?