Ensure AWS RDS Instances are Not Provisioned in Public Subnets


Amazon Relational Database Service (RDS) provides a managed relational database service. Deploying RDS instances in public subnets can expose them to the internet, increasing their vulnerability to potential threats. RDS instances should ideally be deployed within private subnets of a Virtual Private Cloud (VPC) to ensure maximum security and to restrict direct access from the internet.


1. Identify RDS Instances in Public Subnets:

AWS Management Console:
  • Navigate to the RDS Dashboard.
  • In the navigation pane, choose Databases.
  • For each RDS instance, review its VPC and associated subnets.
  • In the VPC Dashboard, under Subnets, verify if the associated subnets have a route pointing to an Internet Gateway (IGW). Such subnets are public subnets.

2. Migrate RDS Instances to Private Subnets:

If an RDS instance is identified within a public subnet:

  • Create or identify a private subnet within your VPC.
  • Modify the RDS instance to change its subnet group to one associated with private subnets.
AWS Management Console:
  • Within the RDS Dashboard, choose the identified RDS instance.
  • Under Instance actions, select Modify.
  • In the DB Subnet Group section, select a subnet group associated with private subnets.
  • Follow the prompts to apply the changes.

3. Implement Network Security Measures:

  • Ensure the security group associated with the RDS instance allows only necessary traffic, preferably from known and trusted IP addresses or CIDR blocks.
  • Use Network Access Control Lists (NACLs) at the subnet level as an additional layer of security to control inbound and outbound traffic.

4. Regular Monitoring:

  • Periodically review RDS instances and their associated subnets to ensure none are exposed to the public.
  • Consider setting up alerts using Amazon CloudWatch or AWS Config to notify you if an RDS instance is launched in a public subnet.


RDS instances should always be deployed in private subnets to ensure they are not directly accessible from the internet. The principle of least privilege should be applied, where only necessary access is granted. Regularly monitoring the environment and having alert mechanisms in place can help in ensuring adherence to security best practices and maintaining a secure AWS infrastructure.