RDS Public Access

Description

Publicly accessible RDS instances or lax security groups expose databases to the internet. Weak authentication, missing TLS enforcement, public or shared snapshots, and unencrypted storage further increase impact and persistence.

Examples

Inspect Exposure

aws rds describe-db-instances --query 'DBInstances[*].{Id:DBInstanceIdentifier,Public:PubliclyAccessible,Endpoint:Endpoint.Address}'

Attempt connecting from an external IP to confirm reachability.

Check SSL/TLS requirement and encryption

aws rds describe-db-parameters --db-parameter-group-name <pg> \
  --query "Parameters[?ParameterName=='rds.force_ssl'].[ParameterName,ParameterValue]"
aws rds describe-db-instances --db-instance-identifier <id> \
  --query '{StorageEncrypted:StorageEncrypted,KmsKeyId:KmsKeyId,Engine:Engine}'

Public/shared snapshots

aws rds describe-db-snapshots --snapshot-type public
aws rds describe-db-snapshots --include-shared --snapshot-type shared

Remediation

1. Disable public access; place RDS in private subnets and restrict SGs.
2. Enforce IAM/database auth best practices and TLS in transit; set rds.force_ssl=1 where applicable.
3. Use RDS Proxy and rotate credentials; enable automatic minor upgrades and backups; encrypt storage with KMS and avoid public/shared snapshots.