Amazon RDS database instances and Redshift clusters that are publicly accessible are exposed to the internet.

Why is this an issue?

When an Amazon RDS database instance or Redshift cluster is created with publicly_accessible set to true, AWS assigns it a public IP address and a publicly resolvable DNS name. Combined with a permissive security group, the database becomes reachable directly from the internet.

A database is a high-value target that should sit on a private network segment reachable only from application tiers. Exposing it publicly removes a critical network boundary.

What is the potential impact?

Public exposure invites continuous scanning and credential-stuffing attempts against the database endpoint. It also increases the blast radius of any credential leak: a leaked secret can be used from anywhere on the internet rather than only from within the private network.

How to fix it

Set publicly_accessible to false so the database is only reachable from within the VPC, and rely on private connectivity such as VPN, VPC peering, or a bastion host for administrative access.

Code examples

Noncompliant code example

resource "aws_db_instance" "example" {
  engine              = "postgres"
  instance_class      = "db.t3.micro"
  publicly_accessible = true # Noncompliant
}

Compliant solution

resource "aws_db_instance" "example" {
  engine              = "postgres"
  instance_class      = "db.t3.micro"
  publicly_accessible = false
}

Resources

Documentation

Standards