Ensure that no AWS RDS database instances are provisioned inside VPC public subnets in order to protect them from direct exposure to the Internet. Since database instances are not Internet-facing and their management (running software updates, implementing security patches, etc) is done by Amazon, these instances should run only in private subnets.
By provisioning your RDS instances within private subnets (logically isolated sections of AWS VPC) you will prevent these resources from receiving inbound traffic from the public Internet, therefore have a stronger guarantee that no malicious requests can reach your database instances. Note: For this rule Cloud Conformity assumes that you have private RDS subnet groups already defined within your VPC. A private RDS Subnet Group is a collection of private subnets that you create in your VPC to use with your RDS DB instances.
To determine if your RDS database instances are currently running within AWS VPC public subnets, perform the following:
To move your RDS database instances from public subnets to private subnets, you must replace their current subnet groups with the ones that contain VPC private subnets. To implement the database instance(s) migration, perform the following: