Ensure that AWS DB Security Group does not allow public access

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to the RDS database.

Risk Level: High
Cloud Entity: DB Security Group
CloudGuard Rule ID: D9.CFT.NET.08
Covered by Spectral: Yes
Category: Networking & Content Delivery


AWS_RDS_DBSecurityGroup should not have DBSecurityGroupIngress contain-any [ CIDRIP='' ]


From CFT
Set AWS::RDS::DBSecurityGroup CIDRIP property to be a specific IP or a range


  1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html
  2. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-rds.html#scenario-rds-security-group-cidr

DB Security Group

DB security groups are used with DB instances that are not in a VPC and on the EC2-Classic platform. Each DB security group rule enables a specific source to access a DB instance that is associated with that DB security group. The source can be a range of addresses (for example,, or an EC2-Classic security group. When you specify an EC2-Classic security group as the source, you allow incoming traffic from all EC2 instances that use that EC2-Classic security group. DB security group rules apply to inbound traffic only; outbound traffic is not currently permitted for DB instances.

Compliance Frameworks

  • AWS CloudFormation ruleset