← all rules
iac/cloudformation/cfn-rds-publicly-accessible
Database is publicly accessible
highCloudFormationiac-cloudformation
What it detects
`PubliclyAccessible: true` gives an RDS instance a public endpoint. Databases should sit in private subnets reachable only from application security groups, never directly from the internet.
Remediation
Set `PubliclyAccessible: false` and reach the database through a bastion, VPN, or private application tier.
How it runs
Run against YAML/JSON files that look like CloudFormation templates (AWSTemplateFormatVersion, or Resources + an AWS:: type). Line-based checks; the security-group rule tracks ingress-vs-egress context. Non-template YAML/JSON is skipped.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.