AWS Security ChangesHomeSearch

AWS cli medium security documentation change

Service: cli · 2025-10-13 · Security-related medium

File: cli/latest/reference/rds/create-db-instance.md

Summary

Enhanced documentation for PubliclyAccessible parameter with expanded network accessibility details and default behavior explanations

Security assessment

The modifications provide critical security context about DB instance accessibility, explicitly linking public exposure to VPC internet gateway presence and security group configurations. By detailing how default behaviors change based on network topology, this helps prevent misconfigurations that could lead to unintended public access to database instances.

Diff

diff --git a/cli/latest/reference/rds/create-db-instance.md b/cli/latest/reference/rds/create-db-instance.md
index 8e5e77a16..37f833051 100644
--- a//cli/latest/reference/rds/create-db-instance.md
+++ b//cli/latest/reference/rds/create-db-instance.md
@@ -15 +15 @@
-  * [AWS CLI 2.31.10 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.13 Command Reference](../../index.html) »
@@ -757 +757 @@ Syntax:
-> When the DB instance is publicly accessible and you connect from outside of the DB instance’s virtual private cloud (VPC), its domain name system (DNS) endpoint resolves to the public IP address. When you connect from within the same VPC as the DB instance, the endpoint resolves to the private IP address. Access to the DB instance is controlled by its security group settings.
+> When the DB instance is publicly accessible and you connect from outside of the DB instance’s virtual private cloud (VPC), its Domain Name System (DNS) endpoint resolves to the public IP address. When you connect from within the same VPC as the DB instance, the endpoint resolves to the private IP address. Access to the DB instance is ultimately controlled by the security group it uses. That public access is not permitted if the security group assigned to the DB instance doesn’t permit it.
@@ -761 +761 @@ Syntax:
-> The default behavior when `PubliclyAccessible` is not specified depends on whether a `DBSubnetGroup` is specified.
+> Default: The default behavior varies depending on whether `DBSubnetGroupName` is specified.
@@ -763 +763 @@ Syntax:
-> If `DBSubnetGroup` isn’t specified, `PubliclyAccessible` defaults to `false` for Aurora instances and `true` for non-Aurora instances.
+> If `DBSubnetGroupName` isn’t specified, and `PubliclyAccessible` isn’t specified, the following applies:
@@ -765 +765,2 @@ Syntax:
-> If `DBSubnetGroup` is specified, `PubliclyAccessible` defaults to `false` unless the value of `DBSubnetGroup` is `default` , in which case `PubliclyAccessible` defaults to `true` .
+>   * If the default VPC in the target Region doesn’t have an internet gateway attached to it, the DB instance is private.
+>   * If the default VPC in the target Region has an internet gateway attached to it, the DB instance is public.
@@ -767 +768,8 @@ Syntax:
-> If `PubliclyAccessible` is true and the VPC that the `DBSubnetGroup` is in doesn’t have an internet gateway attached to it, Amazon RDS returns an error.
+
+> 
+> If `DBSubnetGroupName` is specified, and `PubliclyAccessible` isn’t specified, the following applies:
+> 
+>   * If the subnets are part of a VPC that doesn’t have an internet gateway attached to it, the DB instance is private.
+>   * If the subnets are part of a VPC that has an internet gateway attached to it, the DB instance is public.
+> 
+
@@ -2493 +2501 @@ DBInstance -> (structure)
-  * [AWS CLI 2.31.10 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.13 Command Reference](../../index.html) »