Changes to Rule - Ensure that public access is not given to RDS Instance
On 10 May 2023, a fix will be released for Rules that check that RDS instances are publicly accessible via a VPC.
Currently, the listed Rules include a check that incorrectly marks an RDS database as public if the RDS instance in a VPC subnet has a default route CIDR block of 0.0.0.0/0. This check is invalid because the default route must also be configured with an internet gateway as the target to be publicly accessible.
|CIS Benchmark Version 1.5.0|
CIS 2.3.3 - Ensure that public access is not given to RDS Instances
This Rule also checks if the Publicly Accessible flag is disabled.
|Organization Rules/Rule Catalog||Ensure that public access is not given to RDS Instance via VPC|
This Rule also checks if the RDS Instance Public Accessible setting is disabled
RDS instances in a subnet should not have internet access
|APRA Version 1.0||RDS instances should not exist in public subnets|
|RDS Best Practice Version 1.0||RDS instances in a subnet should not have internet access|
After the change, these Rules will pass if the below condition is met:
- The RDS instance subnet does not allow public egress via a default route (CIDR block of 0.0.0.0/0) with an internet gateway as the target.
This change may impact the compliance score of the impacted rules.