This rule checks whether the IP whitelist of an RDS instance contains public IP addresses. If the whitelist includes no public IP addresses, the instance is considered compliant.
Scenarios
An RDS instance accessible from the public internet is exposed to unauthorized connection attempts from any IP address. Restricting the IP whitelist to internal network addresses ensures that only application servers within your private network can connect to the database, reducing the attack surface and protecting sensitive data.
Risk level
Default risk level: medium.
Adjust the risk level to match your organization's security requirements.
Detection logic
This rule evaluates the IP whitelist of each RDS instance. An instance is non-compliant if the whitelist contains one or more public IP addresses. An instance is compliant if the whitelist contains only internal network addresses or no entries.
Rule details
|
Parameter |
Description |
|
Rule name |
RDS instance IP whitelist does not contain public network |
|
Rule identifier |
|
|
Automatic remediation |
Not supported |
|
Rule trigger |
Configuration change |
|
Supported resource types |
ACS::RDS::DBInstance |
|
Input parameters |
None |
Remediation guidance
Remove any public IP addresses from the RDS instance IP whitelist and restrict entries to internal network addresses. For step-by-step instructions, see Configure an IP whitelist.