---
names:
  full: AWS RDS Instance is publicly accessible
  contextual: Instance is publicly accessible
description: "Ensure and verify that RDS database instances provisioned in your AWS\
  \ account do restrict unauthorized access in order to minimize security risks. To\
  \ restrict access to any publicly accessible RDS database instance, you must disable\
  \ the database Publicly Accessible flag and update the VPC security group associated\
  \ with the instance."
type: COMPLIANCE_POLICY
categories:
  - "SECURITY"
frameworkMappings:
  - "/frameworks/cis-aws-v6.0.0/03/02/03"
  - "/frameworks/cloudaware/resource-security/network-exposure"
  - "/frameworks/aws-fsbp-v1.0.0/rds/02"
similarPolicies:
  awsSecurityHub:
    - name: "[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration"
      url: "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-2"
    - name: "[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways"
      url: "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-46"
  cloudConformity:
    - url: https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/rds-publicly-accessible.html
      name: RDS Publicly Accessible
    - url: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/instance-not-in-public-subnet.html
      name: RDS Instance Not In Public Subnet
  internal:
    - dec-x-f937c35f