Changes to Rule - Ensure that public access is not given to RDS Instance
As announced on 3 May 2023, a fix has been released to remediate an issue impacting several Rules that verify if RDS instances are publicly accessible.
Before the change, the Rules incorrectly marked RDS databases as public if the RDS instances were in a VPC subnet with a default route CIDR block of 0.0.0.0/0. This check was invalid because the default route must also be configured with an internet gateway as the target to be publicly accessible.
The Rule will now pass if the RDS instance subnet does not allow public egress via a default route (CIDR block of 0.0.0.0/0) with an internet gateway as the target. This change may have impacted the compliance score of the listed rules.
|CIS Benchmark Version 1.5.0||CIS 2.3.3 - Ensure that public access is not given to RDS Instances|
|Organization Rules/Rule Catalog||RDS instances in a subnet should not have internet access|
|APRA Version 1.0||RDS instances should not exist in public subnets|
This rule has been renamed to:
RDS instances in a subnet should not have internet access
|RDS Best Practice Version 1.0||RDS instances in a subnet should not have internet access|