Skip to main content

Changes to Rule - Ensure that public access is not given to RDS Instance

Stax
Stax
Stax Team

As announced on 3 May 2023, a fix has been released to remediate an issue impacting several Rules that verify if RDS instances are publicly accessible.

Before the change, the Rules incorrectly marked RDS databases as public if the RDS instances were in a VPC subnet with a default route CIDR block of 0.0.0.0/0. This check was invalid because the default route must also be configured with an internet gateway as the target to be publicly accessible.

The Rule will now pass if the RDS instance subnet does not allow public egress via a default route (CIDR block of 0.0.0.0/0) with an internet gateway as the target. This change may have impacted the compliance score of the listed rules.

BundleRule Name
CIS Benchmark Version 1.5.0
CIS 2.3.3 - Ensure that public access is not given to RDS Instances
Organization Rules/Rule CatalogRDS instances in a subnet should not have internet access
APRA Version 1.0RDS instances should not exist in public subnets

This rule has been renamed to:
RDS instances in a subnet should not have internet access
RDS Best Practice Version 1.0RDS instances in a subnet should not have internet access