Help Center/ Config/ User Guide/ Resource Compliance/ Built-In Policies/ Relational Database Service/ RDS DB Instances Should Not Use EIPs
Updated on 2025-08-25 GMT+08:00
View PDF
Share

RDS DB Instances Should Not Use EIPs

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

rds-instance-no-public-ip

Identifier

RDS DB Instances Should Not Use EIPs

Description

If an RDS instance has an EIP attached, this RDS instance is non-compliant.

Tag

rds

Trigger Type

Configuration change

Filter Type

rds.instances

Rule Parameters

None

Application Scenarios

RDS instances should not be deployed on the Internet or in a DMZ. Instead, they should be deployed on the internal network of your company. Use routers or firewalls to protect them, and do not bind EIPs to your RDS instances. This prevents unauthorized access and DDoS attacks. If your RDS instances must use EIPs, set security group rules to restrict access from source IP addresses. For details, see Security Best Practices

Solution

Do not attach EIPs to your RDS instances. Detach EIPs from your RDS instances.

Rule Logic

  • If an RDS instance has an EIP attached, this instance is non-compliant.
  • If an RDS instance does not have an EIP attached, this instance is compliant.