Alibaba Cloud
AWS
Google Cloud
Microsoft AzureOverview
Managed databases with public exposure can be reached directly from the internet, which significantly increases the risk of brute-force attempts, credential stuffing, exploitation of unpatched engines, and data exfiltration.
What this control checks
This control flags database resources that are publicly reachable (for example, attached to a public endpoint or configured with permissive network access).
Why this matters
Database services should be reachable only through private networking paths (VPC/VNet + private endpoints) or through tightly controlled allowlists when private-only access is not yet possible.
Remediation guidance
Use provider-native controls to disable public access and prefer private networking.
AWS (Amazon RDS)
Console
- Open the affected DB instance in Amazon RDS.
- Choose
Modify. - In
Connectivity, setPublic accesstoNo. - Apply immediately or during the next maintenance window.
CLI
For RDS DB instances:
aws rds modify-db-instance \
--db-instance-identifier <db-instance-id> \
--no-publicly-accessible \
--apply-immediately
For Multi-AZ DB clusters (non-Aurora):
aws rds modify-db-cluster \
--db-cluster-identifier <db-cluster-id> \
--no-publicly-accessible \
--apply-immediately
Google Cloud (Cloud SQL)
Console
- Open
SQL instancesin Google Cloud Console. - Select the instance and click
Edit. - Under
Connections, disablePublic IP. - Configure
Private IPif required and save.
CLI
Disable public IP:
gcloud sql instances patch <instance-name> --no-assign-ip
If needed, move to private IP in a VPC:
gcloud sql instances patch <instance-name> \
--network=projects/<project-id>/global/networks/<vpc-name> \
--no-assign-ip
Azure (Azure SQL / PostgreSQL / MySQL)
Azure SQL - Disable public network access
az sql server update \
--name <sql-server-name> \
--resource-group <resource-group> \
--set publicNetworkAccess="Disabled"
Portal path: SQL server -> Networking -> Public network access -> Disable.
Azure Database for PostgreSQL Flexible Server - Disable public access
az postgres flexible-server update \
--resource-group <resource-group> \
--name <postgres-server-name> \
--public-access Disabled
Portal path: PostgreSQL flexible server -> Networking -> Public access -> Disabled.
Azure Database for MySQL Flexible Server
Use private networking and avoid public access (set during provisioning in portal/CLI), or strictly allowlist trusted IP ranges if public mode is temporarily required.
Validation after remediation
- Confirm no public endpoint is exposed.
- Confirm only private endpoint / private IP connectivity is available.
- Re-run this control to verify all findings are cleared.
References
- AWS RDS VPC and public access: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html
- AWS CLI
modify-db-instance: https://docs.aws.amazon.com/cli/latest/reference/rds/modify-db-instance.html - AWS CLI
modify-db-cluster: https://docs.aws.amazon.com/cli/latest/reference/rds/modify-db-cluster.html - Cloud SQL connectivity and IP: https://cloud.google.com/sql/docs/mysql/configure-ip
gcloud sql instances patch: https://cloud.google.com/sdk/gcloud/reference/sql/instances/patch- Azure SQL connectivity settings: https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal
- Azure CLI
az sql server update: https://learn.microsoft.com/en-us/cli/azure/sql/server?view=azure-cli-latest#az-sql-server-update - Azure PostgreSQL flexible networking: https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-public
- Azure CLI
az postgres flexible-server update: https://learn.microsoft.com/en-us/cli/azure/postgres/flexible-server?view=azure-cli-latest#az-postgres-flexible-server-update - Azure MySQL flexible networking: https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-networking
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Alibaba Cloud
Use Resource Directory guardrails, account baselines, and IaC modules so the secure setting is applied consistently across environments.
AWS
Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Publicly Accessible Google Cloud Cloud SQL Instances
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
ipAddresses_SOME: { type: "PRIMARY" }
networkSettings_SOME: {
authorizedNetworks_SOME: { cidrValue: "0.0.0.0/0" }
}
}
) {
...AssetFragment
}
} Publicly Accessible Azure MySQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure MySQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Alibaba ApsaraDB Instances
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { publicAccessBlocked: false whitelist: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } ) {...AssetFragment} } Publicly Accessible Azure SQL Databases
Connectors
Covered asset types
Expected check: eq []
{
sqlDatabases(
where: {
sqlServer: {
firewallRules_SOME: {
startIpAddress: "0.0.0.0"
endIpAddress: "255.255.255.255"
}
}
}
) {...AssetFragment}
}
Publicly Accessible RDS Clusters
Connectors
Covered asset types
Expected check: eq []
{
dbClusters(
where: {
dbInstances_SOME: {
publicAccessBlocked: false
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
}
) {...AssetFragment}
}
Publicly Accessible Azure MariaDB Servers
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(
where: {
publicAccessBlocked: false
firewallRules_SOME: {
startIPAddress: "0.0.0.0"
endIPAddress: "255.255.255.255"
}
}
) {...AssetFragment}
}Publicly Accessible AWS RDS Instance
Connectors
Covered asset types
Expected check: eq []
{
dbInstances(
where: {
publicAccessBlocked: false
dbCluster: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
) {...AssetFragment}
}
