AWS RDS database instance is publicly accessible
Description
Ensure that all your public AWS Application Load Balancer are integrated with the Web Application Firewall (AWS WAF) service to protect against application-layer attacks. An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply, and then selects a target from the target group for the rule action. You can configure listener rules to route requests to different target groups based on the content of the application traffic. Routing is performed independently for each target group, even when a target is registered with multiple target groups.
Fix - Runtime
AWS Console
To change the policy using the AWS Console, follow these steps:
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Open the Amazon RDS console.
- On the navigation pane, click Snapshots.
- Select the snapshot to encrypt.
- Navigate to Snapshot Actions, select Copy Snapshot.
- Select your Destination Region, then enter your New DB Snapshot Identifier.
- Set Enable Encryption to Yes.
- Select your Master Key from the list, then select Copy Snapshot.
Fix - Buildtime
Terraform
- Resource: aws_db_instance
- Argument: publicly_accessible
```go aws_rds_cluster.default.tf resource "aws_db_instance" "default" { ... + publicly_accessible = false }
## CloudFormation
- **Resource**: AWS::RDS::DBInstance
- **Argument**: Properties.PubliclyAccessible
```yaml
Type: 'AWS::RDS::DBInstance'
Properties:
...
+ PubliclyAccessible: false