RDS.2: An RDS instance is publicly accessible from the internet

What does AWS Security Hub RDS.2 check?

RDS.2 fails RDS DB instances whose PubliclyAccessible flag is true, meaning the database has a public endpoint reachable from outside the VPC.

Why does RDS.2 matter?

A public database endpoint exposes your most sensitive asset directly to the internet, where it faces brute-force, exploitation of unpatched engine bugs, and exfiltration if a credential leaks. Databases should live in private subnets and be reachable only from application tiers inside the VPC.

How do I fix RDS.2?

1. Modify the instance to set Publicly Accessible = No.
2. Place the DB in private subnets (a DB subnet group with no internet route) and tighten its security group to the app SG only.
3. For external access, go through a bastion, VPN, or RDS Proxy rather than a public endpoint.

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'