Skip to content

AWS RDS Snapshots Are Public


You can share unencrypted manual RDS snapshots as public, which makes the snapshot available to all AWS accounts.

For more information, refer to the RDS Snapshots Documentation.


Make sure your RDS snapshots aren't public to avoid exposing internal potentially sensitive information,

Applies To

  • Latest Blob Instances


This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/resource-type db

Default Rule

const { isEmptyArray } = module

 * @param {Object} blobInstances - database snapshots
 * @returns {boolean} true if database snapshots are not public
function validate(blobInstances) {
    const success = isEmptyArray(blobInstances.values) || 
                    blobInstances.values.every(snap => 
                        snap.configuration &&
               !== 'public'

    return {

// invoke