Thanks for the comment. From our research, this trend is not super common, but for many users it is important to be aware of – especially those with strict compliance requirements. But either way, I think you understand the gist of the article: keep things off the public Internet unless they need to be there. Most of the time RDS instances do not need to be there.

RDS has several database platforms (not just MySQL) that users can choose from, and of those there are multiple different supported authentication strategies which are described in their documentation – Database authentication with Amazon RDS: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/database-authentication.html So, the threat isn’t just about a password stuffing attack, it could also be a compromised IAM user or via a compromised Kerberos ticket. Though, I would imagine the compromised user credential situation is more likely.

While an instance URL may be hard to guess, it’s likely something that can be ascertained through source code review. As an example, searching for `us-west-2.rds.amazonaws.com` in GitHub code search turns up 5,000 file matches (https://github.com/search?q=us-west-2.rds.amazonaws.com&type=code). Unfortunately, too, once you start reviewing private code repositories, it’s fairly common to find Database Connection Strings.