AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2025-05-13 · Documentation low

File: prescriptive-guidance/latest/patterns/block-public-access-to-amazon-rds-by-using-cloud-custodian.md

Summary

Updated documentation to improve clarity and formatting: rephrased compliance statement, removed redundant 'Target technology stack' section, fixed markdown formatting in links/sections, added backticks around 'false' for code clarity, and updated resource URLs.

Security assessment

The changes emphasize blocking public RDS access for compliance (GDPR/HIPAA/NIST/PCI DSS) and clarify security-related configuration steps (e.g., explicitly setting 'PubliclyAccessible' to `false`). While these reinforce security best practices, there is no evidence of addressing a newly discovered vulnerability or incident.

Diff

diff --git a/prescriptive-guidance/latest/patterns/block-public-access-to-amazon-rds-by-using-cloud-custodian.md b/prescriptive-guidance/latest/patterns/block-public-access-to-amazon-rds-by-using-cloud-custodian.md
index 9534ce7e8..e942f62ba 100644
--- a//prescriptive-guidance/latest/patterns/block-public-access-to-amazon-rds-by-using-cloud-custodian.md
+++ b//prescriptive-guidance/latest/patterns/block-public-access-to-amazon-rds-by-using-cloud-custodian.md
@@ -13 +13 @@ SummaryPrerequisites and limitationsArchitectureToolsEpicsRelated resourcesAddit
-Many organizations run their workloads and services on multiple cloud vendors. In these hybrid cloud environments, the cloud infrastructure needs strict cloud governance, in addition to the security provided by the individual cloud providers. A cloud database such as Amazon Relational Database Service (Amazon RDS) is one important service that must be monitored for any access and permission vulnerabilities. Although you can restrict access to the Amazon RDS database by configuring a security group, you can add a second layer of protection to prohibit actions such as public access. Ensuring public access is blocked will help you with General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI DSS) compliance.
+Many organizations run their workloads and services on multiple cloud vendors. In these hybrid cloud environments, the cloud infrastructure needs strict cloud governance, in addition to the security provided by the individual cloud providers. A cloud database such as Amazon Relational Database Service (Amazon RDS) is one important service that must be monitored for any access and permission vulnerabilities. Although you can restrict access to the Amazon RDS database by configuring a security group, you can add a second layer of protection to prohibit actions such as public access. Blocking public access helps you with General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI DSS) compliance.
@@ -34,16 +34 @@ This pattern provides instructions for using Cloud Custodian on AWS to enforce r
-**Target technology stack**
-
-  * Amazon RDS
-
-  * AWS CloudTrail
-
-  * AWS Lambda
-
-  * Cloud Custodian
-
-
-
-
-**Target architecture**
-
-The following diagram shows Cloud Custodian deploying the policy to Lambda, AWS CloudTrail initiating the `CreateDBInstance` event, and the Lambda function setting `PubliclyAccessible` to false on Amazon RDS.
+The following diagram shows Cloud Custodian deploying the policy to AWS Lambda, AWS CloudTrail initiating the `CreateDBInstance` event, and the Lambda function setting `PubliclyAccessible` to false on Amazon RDS.
@@ -81 +66 @@ Task| Description| Skills required
-Install AWS CLI.| To install AWS CLI, follow the instructions in the [AWS documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html).| AWS administrator  
+Install the AWS CLI.| To install the AWS CLI, follow the instructions in the [AWS documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html).| AWS administrator  
@@ -108 +93 @@ Check the Cloud Custodian schema.| To see the complete list of Amazon RDS resour
-Create the Cloud Custodian policy.| Save the code that’s under _Cloud Custodian policy file_ in the _Additional information_ section using a YAML extension.| DevOps engineer  
+Create the Cloud Custodian policy.| Save the code that’s under _Cloud Custodian policy file_ in the Additional information section using a YAML extension.| DevOps engineer  
@@ -112 +97 @@ Define Cloud Custodian actions to change the publicly accessible flag.|
-  2. Locate the `RDSSetPublicAvailability` class in `rds.py`, and modify this class by using the code that’s under _c7n resources rds.py file_ in the _Additional information_ section.
+  2. Locate the `RDSSetPublicAvailability` class in `rds.py`, and modify this class by using the code that’s under _c7n resources rds.py file_ in the Additional information section.
@@ -129 +114 @@ Deploy the policy by using Lambda.| To create the Lambda function that will run
-This policy will then be initiated by the AWS CloudTrail `CreateDBInstance` event.As a result, AWS Lambda will set the publicly accessible flag to false for instances that match the criteria.| DevOps engineer  
+This policy will then be initiated by the AWS CloudTrail `CreateDBInstance` event.As a result, AWS Lambda will set the publicly accessible flag to `false` for instances that match the criteria.| DevOps engineer  
@@ -133 +118 @@ This policy will then be initiated by the AWS CloudTrail `CreateDBInstance` even
-  * [AWS Lambda](https://aws.amazon.com/lambda/)
+  * [AWS Lambda website](https://aws.amazon.com/lambda/)
@@ -135 +120 @@ This policy will then be initiated by the AWS CloudTrail `CreateDBInstance` even
-  * [Amazon RDS](https://aws.amazon.com/rds/)
+  * [Amazon RDS website](https://aws.amazon.com/rds/)
@@ -137 +122 @@ This policy will then be initiated by the AWS CloudTrail `CreateDBInstance` even
-  * [Cloud Custodian](https://cloudcustodian.io/docs/quickstart/index.html)
+  * [Cloud Custodian documentation](https://cloudcustodian.io/docs/quickstart/index.html)