可以从 互联网 给予 数据库公共访问。攻击者仍然需要 知道用户名和密码、 IAM 访问权限或 漏洞 才能进入数据库。
公共 RDS 快照
AWS 允许 任何人下载 RDS 快照。您可以非常轻松地从自己的账户列出这些公共 RDS 快照:
# Public RDS snapshotsawsrdsdescribe-db-snapshots--include-public## Search by account IDawsrdsdescribe-db-snapshots--include-public--query'DBSnapshots[?contains(DBSnapshotIdentifier, `284546856933:`) == `true`]'## To share a RDS snapshot with everybody the RDS DB cannot be encrypted (so the snapshot won't be encryted)## To share a RDS encrypted snapshot you need to share the KMS key also with the account# From the own account you can check if there is any public snapshot with:awsrdsdescribe-db-snapshots--snapshot-typepublic [--region us-west-2]## Even if in the console appear as there are public snapshot it might be public## snapshots from other accounts used by the current account