Lightsail Database Public Access Disabled

Overview

This check verifies that your AWS Lightsail databases do not have public mode enabled. When public mode is on, your database accepts connections from anywhere on the internet. Turning it off restricts access to only your other Lightsail resources.

Risk

A publicly accessible database is exposed to the internet, which creates serious security risks:

• Brute-force attacks: Attackers can try to guess your database credentials
• Data theft: Unauthorized users could access or steal sensitive data
• Denial of service: Your database could be overwhelmed by malicious traffic
• Compliance violations: Many regulations prohibit publicly accessible databases

Remediation Steps

Prerequisites

You need access to your AWS account with permissions to modify Lightsail databases.

AWS Console Method

1. Open the AWS Lightsail Console
2. Click Databases in the left navigation menu
3. Select the database you want to secure
4. Click the Networking tab
5. Find the Public mode toggle and turn it Off
6. Wait for the database status to return to Available

Note: Disabling public mode will immediately block any connections coming from outside your Lightsail resources. Make sure your applications connect through Lightsail instances or other approved methods before making this change.

AWS CLI (optional)

To disable public access for a Lightsail database:

aws lightsail update-relational-database \
    --relational-database-name <your-database-name> \
    --no-publicly-accessible \
    --region us-east-1

Replace <your-database-name> with your actual database name.

To find all your Lightsail databases:

aws lightsail get-relational-databases \
    --region us-east-1 \
    --query 'relationalDatabases[*].[relationalDatabaseName,publiclyAccessible]' \
    --output table

Terraform (optional)

To ensure your Lightsail database is not publicly accessible, set publicly_accessible = false:

resource "aws_lightsail_database" "example" {
  relational_database_name = "example-database"
  availability_zone        = "us-east-1a"
  master_database_name     = "exampledb"
  master_password          = "ExamplePassword123!"
  master_username          = "dbadmin"
  blueprint_id             = "mysql_8_0"
  bundle_id                = "micro_2_0"

  # Disable public access
  publicly_accessible = false
}

Important: Store sensitive values like master_password in AWS Secrets Manager or use Terraform variables with sensitive marking rather than hardcoding them.

Verification

After making the change:

1. Return to the Networking tab of your database in the Lightsail console
2. Confirm that Public mode shows as Disabled or Off
3. Verify the database status is Available

CLI verification

aws lightsail get-relational-database \
    --relational-database-name <your-database-name> \
    --region us-east-1 \
    --query 'relationalDatabase.publiclyAccessible'

This should return false.

Additional Resources

• AWS Lightsail Databases Documentation
• Lightsail Database Public Mode
• Lightsail VPC Peering

Notes

• Connection impact: Disabling public mode immediately blocks external connections. Ensure your applications are configured to connect through Lightsail instances before making this change.
• Alternative access methods: If you need to access the database from outside Lightsail, consider using a bastion host (a Lightsail instance that acts as a secure gateway) or setting up VPC peering.
• Maintenance windows: This change is applied immediately and does not wait for your maintenance window.