aws-resource-public-access¶
Ensure that all data stored in the managed service is not publicly accessible
The rule applies to the following services:
- Aurora
- DMS Replication
- EKS
- RDS
- MQ
- Neptune
- Redshift
Examples¶
For all managed services, the attribute publicly_accessible
is a boolean that makes the service publicly accessible by assigning a public IP address. Setting this flag to false
is recommended so that it can only be accessed from inside a VPC.
Insecure Example
resource "aws_rds_cluster_instance" "cluster_instances" {
count = 2
identifier = "aurora-cluster-demo-${count.index}"
cluster_identifier = aws_rds_cluster.default.id
instance_class = "db.r4.large"
engine = aws_rds_cluster.default.engine
engine_version = aws_rds_cluster.default.engine_version
publicly_accessible = true
}
"MyDB": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceIdentifier": {
"Ref": "DBInstanceID"
},
"DBName": {
"Ref": "DBName"
},
"DBInstanceClass": {
"Ref": "DBInstanceClass"
},
"AllocatedStorage": {
"Ref": "DBAllocatedStorage"
},
"Engine": "MySQL",
"EngineVersion": "8.0.16",
"MasterUsername": {
"Ref": "DBUsername"
},
"MasterUserPassword": {
"Ref": "DBPassword"
},
"MonitoringInterval": "60",
"MonitoringRoleArn": "arn:aws:iam::1233456789012:role/rds-monitoring-role",
"PubliclyAccessible" : true
}
}
Secure Example
resource "aws_rds_cluster_instance" "cluster_instances" {
count = 2
identifier = "aurora-cluster-demo-${count.index}"
cluster_identifier = aws_rds_cluster.default.id
instance_class = "db.r4.large"
engine = aws_rds_cluster.default.engine
engine_version = aws_rds_cluster.default.engine_version
publicly_accessible = false
}
"MyDB": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceIdentifier": {
"Ref": "DBInstanceID"
},
"DBName": {
"Ref": "DBName"
},
"DBInstanceClass": {
"Ref": "DBInstanceClass"
},
"AllocatedStorage": {
"Ref": "DBAllocatedStorage"
},
"Engine": "MySQL",
"EngineVersion": "8.0.16",
"MasterUsername": {
"Ref": "DBUsername"
},
"MasterUserPassword": {
"Ref": "DBPassword"
},
"MonitoringInterval": "60",
"MonitoringRoleArn": "arn:aws:iam::1233456789012:role/rds-monitoring-role",
"PubliclyAccessible" : false
}
}