Publicly accessible RDS instance







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




RDS instances can have a public IP address and be attached to an open security group.

Understanding Impact

Business Impact

Publicly accessible RDS databases are vulnerable to automated brute force and exploitation attacks. This increases the likelihood that the database is compromised and used for ransomware, extortion, or leaking sensitive data.

Technical Impact

An RDS instance can either sit inside a VPC with a private address or be assigned with a public IP. If it has a public IP and an open security group, anyone from the internet can perform brute force, password stuffing, or denial of service on the database.

Identify affected resources

Use the following AWS CLI command to identify any RDS instances in your account that have a public IP address:

aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`]'

Then, check if the associated security group for those instances is allowing anyone from the internet to access the database:

aws ec2 describe-security-groups \
    --group-ids <security-group-id> \
    --query 'SecurityGroups[*].IpPermissions'

Remediate vulnerable resources

The first step is to restrict access using your security group. For instance, you can restrict access to a known IP range used by system administrators.

Then, remove public access. This will make the RDS instance available only in a specific VPC.

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | RDS database instance should be inaccessible over the public internet".


Hiding a DB instance in a VPC from the internet

aws documentation

Did you find this article helpful?