Skip to content

Ensure AWS RDS Instance is Private

Description

Ensures that an RDS instance is not marked as public.

Rationale

Ensures that a AWS RDS instance is not exposed to the open internet and is only accessible from inside the VPC, decreasing its attack surface.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/resource-type db

Default Rule

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if the database instance is not publically available
 */
function validate(databaseSettings) {
    const success = databaseSettings.awsDatabaseInstance &&
        databaseSettings.awsDatabaseInstance.rdsDatabaseInstance &&
        !(databaseSettings.awsDatabaseInstance.rdsDatabaseInstance.public)

    return {
        success,
    }
}

// invoke
validate(databaseSettings);