Changes to Rule - Ensure that public access is not given to RDS Instance
On 10 May 2023, a fix will be released for Rules that check that RDS instances are publicly accessible via a VPC.
Currently, the listed Rules include a check that incorrectly marks an RDS database as public if the RDS instance in a VPC subnet has a default route CIDR block of 0.0.0.0/0. This check is invalid because the default route must also be configured with an internet gateway as the target to be publicly accessible.
| Bundle Name | Rule |
|---|---|
| CIS Benchmark Version 1.5.0 | CIS 2.3.3 - Ensure that public access is not given to RDS Instances This Rule also checks if the Publicly Accessible flag is disabled. |
| Organization Rules/Rule Catalog | Ensure that public access is not given to RDS Instance via VPC This Rule also checks if the RDS Instance Public Accessible setting is disabled RDS instances in a subnet should not have internet access |
| APRA Version 1.0 | RDS instances should not exist in public subnets |
| RDS Best Practice Version 1.0 | RDS instances in a subnet should not have internet access |
After the change, these Rules will pass if the below** condition is met:**
-
The RDS instance subnet does not allow public egress via a default route (CIDR block of 0.0.0.0/0) with an internet gateway as the target.
This change may impact the compliance score of the impacted rules.