Other Articles
- IAM - Enable User MFA
- IAM - Enforce Key Rotation
- IAM - Enforce Active Key Limit
- IAM - Disable Unused User Credentials
- IAM - Enforce Group Permission
- IAM - Enforce Password Length
- IAM - Prohibit Password Reuse
- IAM - Check Root Access Keys Existence
- IAM - Enable Root MFA
- IAM - Establish Support Role
- IAM - Enable Key Rotation
- Purge Expired Certificates
- EC2 Volume – Enable EBS Volume Backup
- EC2 Volume – Enable EBS Encryption
- EFS – Enable EFS Storage Backup
- S3 Bucket – Enable S3 Bucket Versioning
- S3 Bucket – Enable S3 Bucket Encryption
- S3 Bucket – Block S3 Bucket Public Access
- RDS DB Instance – Encryption of Storage
- RDS DB Instance – Enable Deletion Protection
- RDS DB Instance – Enable Auto Minor Version Upgrade
- DynamoDB Table – Enable Table Encryption
- DynamoDB Table – Enable Table Point In Time Recovery
- DynamoDB Table – Enable Table Deletion Protection
- EC2 Instance – Monitor CPU Utilization
- ECS Service – Monitor CPU Utilization
- ECS Service – Monitor Memory Utilization
- RDS DB Instance – Monitor Free Storage Space
- RDS DB Instance – Monitor CPU Utilization
- SQS Queue – Monitor Message Age
- SQS Queue – Monitor Message Visibility
- DynamoDB Table – Monitor Table Read Capacity
- DynamoDB Table – Monitor Table Write Capacity
- DynamoDB Table – Monitor Table Latency
- Enable CloudTrail
- Encrypt CloudTrail Logs
- EC2 VPC – Ensure Flow Logs are Enabled
- EC2 Instance – Enable Deletion Protection
- ECS Service – Enable Auto Scaling
- Enable AWS Security Hub
- Enable GuardDuty
RDS DB Instance – Block Public Access
Secure Configuration Checks > AWS
This check ensures that Amazon RDS database instances are not publicly accessible. Disabling public access reduces the attack surface and helps protect sensitive database data from unauthorized internet exposure.
Check Details
- Resource: RDS DB Instance
- Check: Block public access to RDS instance
- Risk: Publicly accessible databases may be exposed to unauthorized access
Remediation via AWS Console
-
Log in to the AWS Management Console and open the Amazon RDS console.
- From the navigation panel, click Databases.
- Select the RDS instance you want to update.
-
Click Modify from the top menu.
-
Scroll to the Connectivity section and expand Additional connectivity configuration. Set Publicly accessible to No.
-
Update subnet and route configuration:
- Under Connectivity & security, click the VPC ID
- In the VPC page, open Details and click the Route table link
-
In the route table:
- Open the Routes tab
- Click Edit routes
- Remove or update any route with target igw-* (Internet Gateway)
- Click Save routes
- Return to the Modify DB Instance page. Click Continue, choose Apply immediately, and click Modify DB Instance.
- Repeat these steps for all RDS instances in the current region. Change the AWS region and repeat for other regions.
Remediation via AWS CLI
-
Log in to the AWS Management Console and click the CloudShell icon (
>_) in the top-right corner.
-
View all RDS instances in a region:
aws rds describe-db-instances \ --region <region-name> \ --query 'DBInstances[*].DBInstanceIdentifier'
-
Disable public access for the selected RDS instance:
aws rds modify-db-instance \ --region <region-name> \ --db-instance-identifier <db-instance-name> \ --no-publicly-accessible \ --apply-immediately
Note: Changes related to Internet Gateway removal and routing cannot be completed using AWS CLI. These updates must be performed manually through the AWS Management Console.
Repeat these steps for all RDS instances in the current region and across all AWS regions used by the account.
Updated on 06 March, 2026