Ensure AWS RDS database instance is not publicly accessible

Ensure that your RDS database instances are not exposed to the internet as it could lead to a potential data loss since you are giving direct access to your database.It is considered a security best practice and should have public access removed.

Risk Level: Critical
Cloud Entity: Amazon RDS
CloudGuard Rule ID: D9.CFT.IAM.39
Covered by Spectral: Yes
Category: Database


AWS_RDS_DBInstance should have PubliclyAccessible=false


From CFT
Set AWS::RDS::DBInstance::PubliclyAccessible to false.
See below example template;

Type: 'AWS::RDS::DBInstance'

PubliclyAccessible : false



  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-publiclyaccessible

Amazon RDS

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.

Compliance Frameworks

  • AWS CloudFormation ruleset