rds-public-access-check

Scenarios

Risk level

Default risk level: high.

You can change the risk level when you apply this rule.

Compliance evaluation logic

• If the ApsaraDB RDS instance does not have a public endpoint in use, the configuration is considered compliant.
• An ApsaraDB RDS instance is non-compliant if it has a public endpoint. For remediation steps, see Remediation.

Rule details

Non-compliance remediation

Release the public endpoint of the ApsaraDB RDS instance. For more information, see Release a public endpoint.

Ignore evaluation results

If your business requires a public endpoint on an ApsaraDB RDS instance, you can ignore the non-compliant resource on the rule details page to exclude it from non-compliance statistics. This only affects how compliance results are displayed and does not change the resource configuration.

1. Log on to the Configuration Audit console.

2. In the left-side navigation pane, choose Compliance Audit > Rules.

3. In the rule list, click the rule name to open its details page.

4. In the list of evaluation results, select the non-compliant resource that you want to ignore, and then click Ignore.

5. In the Ignore Evaluation Result dialog box, configure the following parameters:

   • Automatic Recovery Time: Select how long to ignore the resource.

   • Ignored Reason: Enter the reason for ignoring this resource.

6. Click OK.

After the setting is applied, the compliance status of the resource changes from non-compliant to Ignored, and the resource is excluded from non-compliance counts. To resume evaluation, select the ignored resource and click Revert. The resource reverts to non-compliant status and is included in compliance evaluations again.