RDS has been defined with public subnet

ID

aws_rds_public_subnet

Severity

high

Vendor

AWS

Resource

Network

Tags

reachable

Description

RDS has been defined with public subnet. If the RDS has a public subnet accessible, then the security risk from data loss is higher. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.

To fix it you must configure db_subnet_group_name, with no public subnet.

Learn more about this topic at AWS RDS public subnet.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: MySQL security group
      amazon.aws.ec2_security_group:
        name: "MySQL_group"
        description: sg with rule descriptions
        vpc_id: vpc-xxxxxxxx
        profile: "{{ aws_profile }}"
        region: us-east-1
        rules:
          - proto: tcp
            ports:
            - 3306
            cidr_ip: 0.0.0.0/0
yaml

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: MySQL security group
      amazon.aws.ec2_security_group:
        name: "MySQL_group"
        description: sg with rule descriptions
        vpc_id: vpc-xxxxxxxx
        profile: "{{ aws_profile }}"
        region: us-east-1
        rules:
          - proto: tcp
            ports:
            - 3306
            cidr_ip: 192.168.0.0/29
yaml