Skip to content

RDS instances should be deployed in a VPC

This control checks whether an RDS instance is deployed in a VPC (EC2-VPC).

How to fix

Attribute db_subnet_group_name of aws_db_instance must be non-empty.

Implementation options

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Open source module (terraform-aws-modules)

If you use terraform-aws-modules/rds/aws, configure the required module inputs to satisfy this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "rds" {
  source  = "terraform-aws-modules/rds/aws"
  version = ">=7.0.0"

  allocated_storage      = 20
  db_name                = "myapp"
  db_subnet_group_name   = "example-db-subnet-group"
  engine                 = "postgres"
  engine_version         = "16.1"
  identifier             = "abc123"
  instance_class         = "db.t3.micro"
  password               = "change-me-in-production"
  username               = "dbadmin"
  vpc_security_group_ids = ["sg-12345678"]
}

Option 2: Terraform AWS provider resources

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_db_instance.

resource "aws_db_instance" "this" {
  allocated_storage               = 20
  enabled_cloudwatch_logs_exports = ["general", "slowquery"]
  engine                          = "mysql"
  identifier                      = "pofix-example-db"
  instance_class                  = "db.t3.micro"
  monitoring_interval             = 60
  monitoring_role_arn             = "arn:aws:iam::123456789012:role/example-role"
  password                        = "ChangeMe123!"
  skip_final_snapshot             = true
  username                        = "dbadmin"
}
Which option should I choose?
  • Compliance.tf module (recommended): controls enforced by default and mapped to frameworks.
  • Open source module (terraform-aws-modules): compatible by design with compliance.tf. Same variable names for an easy, low-change migration path when you are ready.
  • Terraform AWS provider resources: manage Terraform resources directly.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf (CTF) Control: rds_db_instance_in_vpc

  • Powerpipe Control: aws_compliance.control.rds_db_instance_in_vpc