Prevent RDS DB instance from being 'PubliclyAccessible'

[KevinHock]

This doesn't necessarily mean it is public, but I don't see why someone would set this and have it live in a Private VPC, so I'm okay with blocking it.

From the rds:ModifyDBInstance docs:

PubliclyAccessible
A value that indicates whether the DB instance is publicly accessible.

When the DB instance is publicly accessible, its DNS endpoint resolves to the private IP address from within the DB instance's VPC, and to the public IP address from outside of the DB instance's VPC. Access to the DB instance is ultimately controlled by the security group it uses, and that public access is not permitted if the security group assigned to the DB instance doesn't permit it.

When the DB instance isn't publicly accessible, it is an internal DB instance with a DNS name that resolves to a private IP address.

PubliclyAccessible only applies to DB instances in a VPC. The DB instance must be part of a public subnet and PubliclyAccessible must be enabled for it to be publicly accessible.

Type: Boolean
Required: No

Also, see the rds:CreateDBInstance and rds:CreateDBInstanceReadReplica docs, they're similar.

[cleibl]

There is no condition key for the PubliclyAccessible parameter. It is currently not possible to enforce this functionality with an SCP.

Closing issue