Amazon RDS database instances and Redshift clusters that are publicly accessible are exposed to the internet.
When an Amazon RDS database instance or Redshift cluster is created with publicly_accessible set to true, AWS assigns it
a public IP address and a publicly resolvable DNS name. Combined with a permissive security group, the database becomes reachable directly from the
internet.
A database is a high-value target that should sit on a private network segment reachable only from application tiers. Exposing it publicly removes a critical network boundary.
Public exposure invites continuous scanning and credential-stuffing attempts against the database endpoint. It also increases the blast radius of any credential leak: a leaked secret can be used from anywhere on the internet rather than only from within the private network.
Set publicly_accessible to false so the database is only reachable from within the VPC, and rely on private connectivity
such as VPN, VPC peering, or a bastion host for administrative access.
resource "aws_db_instance" "example" {
engine = "postgres"
instance_class = "db.t3.micro"
publicly_accessible = true # Noncompliant
}
resource "aws_db_instance" "example" {
engine = "postgres"
instance_class = "db.t3.micro"
publicly_accessible = false
}