Alibaba Cloud
AWS
Google Cloud
Microsoft AzureOverview
Managed databases with public exposure can be reached directly from the internet, which significantly increases the risk of brute-force attempts, credential stuffing, exploitation of unpatched engines, and data exfiltration.
What this control checks
This control flags database resources that are publicly reachable (for example, attached to a public endpoint or configured with permissive network access).
Why this matters
Database services should be reachable only through private networking paths (VPC/VNet + private endpoints) or through tightly controlled allowlists when private-only access is not yet possible.
Remediation guidance
Use provider-native controls to disable public access and prefer private networking.
AWS (Amazon RDS)
Console
- Open the affected DB instance in Amazon RDS.
- Choose
Modify. - In
Connectivity, setPublic accesstoNo. - Apply immediately or during the next maintenance window.
CLI
For RDS DB instances:
aws rds modify-db-instance \
--db-instance-identifier <db-instance-id> \
--no-publicly-accessible \
--apply-immediately
For Multi-AZ DB clusters (non-Aurora):
aws rds modify-db-cluster \
--db-cluster-identifier <db-cluster-id> \
--no-publicly-accessible \
--apply-immediately
Google Cloud (Cloud SQL)
Console
- Open
SQL instancesin Google Cloud Console. - Select the instance and click
Edit. - Under
Connections, disablePublic IP. - Configure
Private IPif required and save.
CLI
Disable public IP:
gcloud sql instances patch <instance-name> --no-assign-ip
If needed, move to private IP in a VPC:
gcloud sql instances patch <instance-name> \
--network=projects/<project-id>/global/networks/<vpc-name> \
--no-assign-ip
Azure (Azure SQL / PostgreSQL / MySQL)
Azure SQL - Disable public network access
az sql server update \
--name <sql-server-name> \
--resource-group <resource-group> \
--set publicNetworkAccess="Disabled"
Portal path: SQL server -> Networking -> Public network access -> Disable.
Azure Database for PostgreSQL Flexible Server - Disable public access
az postgres flexible-server update \
--resource-group <resource-group> \
--name <postgres-server-name> \
--public-access Disabled
Portal path: PostgreSQL flexible server -> Networking -> Public access -> Disabled.
Azure Database for MySQL Flexible Server
Use private networking and avoid public access (set during provisioning in portal/CLI), or strictly allowlist trusted IP ranges if public mode is temporarily required.
Validation after remediation
- Confirm no public endpoint is exposed.
- Confirm only private endpoint / private IP connectivity is available.
- Re-run this control to verify all findings are cleared.
References
- AWS RDS VPC and public access: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html
- AWS CLI
modify-db-instance: https://docs.aws.amazon.com/cli/latest/reference/rds/modify-db-instance.html - AWS CLI
modify-db-cluster: https://docs.aws.amazon.com/cli/latest/reference/rds/modify-db-cluster.html - Cloud SQL connectivity and IP: https://cloud.google.com/sql/docs/mysql/configure-ip
gcloud sql instances patch: https://cloud.google.com/sdk/gcloud/reference/sql/instances/patch- Azure SQL connectivity settings: https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal
- Azure CLI
az sql server update: https://learn.microsoft.com/en-us/cli/azure/sql/server?view=azure-cli-latest#az-sql-server-update - Azure PostgreSQL flexible networking: https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-public
- Azure CLI
az postgres flexible-server update: https://learn.microsoft.com/en-us/cli/azure/postgres/flexible-server?view=azure-cli-latest#az-postgres-flexible-server-update - Azure MySQL flexible networking: https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-networking
Multiple Remediation Paths
AWS
SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.
PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.
Google Cloud
SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.
gcloud org-policies set-policy policy.yaml
ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.
PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.
Azure
SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.
PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.
References for Service-Wide Patterns
- AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
- AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
- GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
- GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
- gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies
- Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
- Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
- Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- AWS: deploy/adjust organization conformance packs and policy guardrails.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
- Google Cloud: apply organization policy constraints at org/folder scope.
gcloud org-policies set-policy policy.yaml
- Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
Publicly Accessible Google Cloud Cloud SQL Instances
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
ipAddresses_SOME: { type: "PRIMARY" }
networkSettings_SOME: {
authorizedNetworks_SOME: { cidrValue: "0.0.0.0/0" }
}
}
) {
...AssetFragment
}
} Publicly Accessible Azure MySQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure MySQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ mySqlFlexibleServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Single Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Azure PostgreSQL Flexible Servers
Connectors
Covered asset types
Expected check: eq []
{ postgreSqlFlexibleServers( where: { publicAccessBlocked: false firewallRules_SOME: { startIPAddress: "0.0.0.0" endIPAddress: "255.255.255.255" } } ) {...AssetFragment} } Publicly Accessible Alibaba ApsaraDB Instances
Connectors
Covered asset types
Expected check: eq []
{ dbInstances( where: { publicAccessBlocked: false whitelist: { rules_SOME: { sources_INCLUDES: "cidr:0.0.0.0/0" } } } ) {...AssetFragment} } Publicly Accessible Azure SQL Databases
Connectors
Covered asset types
Expected check: eq []
{
sqlDatabases(
where: {
sqlServer: {
firewallRules_SOME: {
startIpAddress: "0.0.0.0"
endIpAddress: "255.255.255.255"
}
}
}
) {...AssetFragment}
}
Publicly Accessible RDS Clusters
Connectors
Covered asset types
Expected check: eq []
{
dbClusters(
where: {
dbInstances_SOME: {
publicAccessBlocked: false
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
}
) {...AssetFragment}
}
Publicly Accessible Azure MariaDB Servers
Connectors
Covered asset types
Expected check: eq []
{
mariaDbServers(
where: {
publicAccessBlocked: false
firewallRules_SOME: {
startIPAddress: "0.0.0.0"
endIPAddress: "255.255.255.255"
}
}
) {...AssetFragment}
}Publicly Accessible AWS RDS Instance
Connectors
Covered asset types
Expected check: eq []
{
dbInstances(
where: {
publicAccessBlocked: false
dbCluster: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
}
}
) {...AssetFragment}
}
