RDS/database instance is publicly accessible
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
publicly_accessible = true gives the database a public endpoint, so it is reachable from the internet and only a security group stands between it and the world.
Why it matters
publicly_accessible = true gives the database a public endpoint reachable from anywhere on the internet, so only the security group stands between it and every scanner and credential-stuffing bot online. A single overly broad ingress rule then exposes the database directly. Databases should live in private subnets.
How to fix it
Set publicly_accessible = false and place the instance in private subnets via a db_subnet_group. Reach it from application servers inside the VPC, or through a bastion or VPN for administration, never from the open internet. If an external tool must connect, use a tightly scoped security group and a VPN rather than a public endpoint.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo