What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
prod-primary-db
RDS instance has PubliclyAccessible set to true with public endpoint
High
analytics-replica
RDS instance in public subnet with security group allowing 0.0.0.0/0 on port 5432
What does Amazon RDS public exposure mean?
An RDS instance with "Publicly Accessible" set to Yes receives a public IP address and can accept connections from outside your VPC. Combined with permissive security groups, this exposes your database directly to the internet.
Why it matters
Databases contain your most sensitive data - customer records, financial transactions, authentication credentials. A publicly accessible RDS instance is one brute-forced password away from a full data breach. Most compliance frameworks explicitly prohibit public database endpoints.
How to check manually
- 1Open RDS console and check the "Publicly accessible" field for each instance
- 2Review the associated security group for inbound rules from 0.0.0.0/0
- 3Check if the instance is in a public subnet with an internet gateway
- 4Verify that Enhanced Monitoring shows no unexpected connection sources
Quick check with AWS CLI
Find publicly accessible RDS instances
aws rds describe-db-instances --query "DBInstances[?PubliclyAccessible==`true`].{ID:DBInstanceIdentifier,Engine:Engine,Endpoint:Endpoint.Address}"Check a specific instance
aws rds describe-db-instances --db-instance-identifier YOUR_INSTANCE_ID --query "DBInstances[0].PubliclyAccessible"Common misconfigurations
Publicly Accessible set to Yes during creation and never changed
Database in a public subnet instead of a private subnet
Security group allowing port 3306/5432 from 0.0.0.0/0
Snapshot restored with default public access settings
Check all 22 resource types at once
Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.
Scan My Account