Detection: RDS DB Instance Assigned Public IP Address
Overview
Detect when an Amazon RDS database instance was configured to allow public access. Publicly accessible RDS instances expose databases to unauthorized access, increasing the risk of brute force attacks, data breaches, and compliance violations. Ensuring RDS instances are private and accessible only through secure networks protects sensitive data and reduces the attack surface.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_cloudtrail_log_detections.detection.rds_db_instance_assigned_public_ip_addressSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_cloudtrail_log_detections.detection.rds_db_instance_assigned_public_ip_address --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,string_split(event_source, '.')[1] || ':' || event_name as operation,request_parameters ->> 'dBInstanceIdentifier' as resource,user_identity.arn as actor,tp_source_ip as source_ip,tp_index as account_id,aws_region as region,tp_id as source_id,*
from aws_cloudtrail_logwhere event_source = 'rds.amazonaws.com' and event_name in ('ModifyDBInstance', 'CreateDBInstance') and (request_parameters -> 'publiclyAccessible') = true and error_code is null
order by event_time desc;