Which of these configuration or deployment practices is a security risk for RDS?

addressable and spammable. DB instances deployed within a VPC can be configured to be accessible from the Internet or from EC2 instances outside the VPC. If a VPC security group specifies a port access such as TCP port 22, you would not be able to access the DB instance because the firewall for the DB instance provides access only via the IP addresses specified by the DB security groups the instance is a member of and the port defined when the DB instance was created. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html

A.
Storing SQL function code in plaintext

B.
Non-Multi-AZ RDS instance

C.
Having RDS and EC2 instances exist in the same subnet

D.
RDS in a public subnet

Explanation:
Explanation/Reference:
Making RDS accessible to the public internet in a public subnet poses a security risk, by making your database directly