Skip to content

aws-resource-public-access

Ensure that all data stored in the managed service is not publicly accessible

The rule applies to the following services:

Examples

For all managed services, the attribute publicly_accessible is a boolean that makes the service publicly accessible by assigning a public IP address. Setting this flag to false is recommended so that it can only be accessed from inside a VPC.

Insecure Example

resource "aws_rds_cluster_instance" "cluster_instances" {
  count                =  2
  identifier           =  "aurora-cluster-demo-${count.index}"
  cluster_identifier   =  aws_rds_cluster.default.id
  instance_class       =  "db.r4.large"
  engine               =  aws_rds_cluster.default.engine
  engine_version       =  aws_rds_cluster.default.engine_version
  publicly_accessible  =  true
}
"MyDB": {
    "Type": "AWS::RDS::DBInstance",
    "Properties": {
        "DBInstanceIdentifier": {
            "Ref": "DBInstanceID"
        },
        "DBName": {
            "Ref": "DBName"
        },
        "DBInstanceClass": {
            "Ref": "DBInstanceClass"
        },
        "AllocatedStorage": {
            "Ref": "DBAllocatedStorage"
        },
        "Engine": "MySQL",
        "EngineVersion": "8.0.16",
        "MasterUsername": {
            "Ref": "DBUsername"
        },
        "MasterUserPassword": {
            "Ref": "DBPassword"
        },
        "MonitoringInterval": "60",
        "MonitoringRoleArn": "arn:aws:iam::1233456789012:role/rds-monitoring-role",
        "PubliclyAccessible" : true
    }
}

Secure Example

resource "aws_rds_cluster_instance" "cluster_instances" {
  count                =  2
  identifier           =  "aurora-cluster-demo-${count.index}"
  cluster_identifier   =  aws_rds_cluster.default.id
  instance_class       =  "db.r4.large"
  engine               =  aws_rds_cluster.default.engine
  engine_version       =  aws_rds_cluster.default.engine_version
  publicly_accessible  =  false
}
"MyDB": {
    "Type": "AWS::RDS::DBInstance",
    "Properties": {
        "DBInstanceIdentifier": {
            "Ref": "DBInstanceID"
        },
        "DBName": {
            "Ref": "DBName"
        },
        "DBInstanceClass": {
            "Ref": "DBInstanceClass"
        },
        "AllocatedStorage": {
            "Ref": "DBAllocatedStorage"
        },
        "Engine": "MySQL",
        "EngineVersion": "8.0.16",
        "MasterUsername": {
            "Ref": "DBUsername"
        },
        "MasterUserPassword": {
            "Ref": "DBPassword"
        },
        "MonitoringInterval": "60",
        "MonitoringRoleArn": "arn:aws:iam::1233456789012:role/rds-monitoring-role",
        "PubliclyAccessible" : false
    }
}