Ensure that no AWS RDS database instances are provisioned inside VPC public subnets in order to protect them from direct exposure to the Internet. Since database instances are not Internet-facing and their management (running software updates, implementing security patches, etc) is done by Amazon, these instances should run only in private subnets.
This rule resolution is part of the Cloud Conformity solution
By provisioning your RDS instances within private subnets (logically isolated sections of AWS VPC) you will prevent these resources from receiving inbound traffic from the public Internet, therefore have a stronger guarantee that no malicious requests can reach your database instances.
Note: For this rule Cloud Conformity assumes that you have private RDS subnet groups already defined within your VPC. A private RDS Subnet Group is a collection of private subnets that you create in your VPC to use with your RDS DB instances.
To determine if your RDS database instances are currently running within AWS VPC public subnets, perform the following:
Remediation / Resolution
To move your RDS database instances from public subnets to private subnets, you must replace their current subnet groups with the ones that contain VPC private subnets. To implement the database instance(s) migration, perform the following:
- AWS Documentation
- Amazon RDS FAQs
- Scenario 2: VPC with Public and Private Subnets (NAT)
- Working with an Amazon RDS DB Instance in a VPC
- Modifying an Amazon RDS DB Instance and Using the Apply Immediately Parameter
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
RDS Instance Not In Public Subnet
Risk level: High