Recently, RDS postgres instance got hacked and new readme database was created with a message. While the DB is public facing and password may be guessed, how do hackers know the RDS connection string url. Also, there was a query executed to DROP database but the user or ip is logged as UNKNOWN on AWS logs, how come? While snapshot backups to restore is available, how to know what causes the breach.
It is a bad practice to make a AWS database public. And if you do control inbound access with a security group that restricts access.
Regarding your question on how they guessed the endpoint, database hostnames are automatically generated like this:
database-1.ck9xkudewl4i.eu-west-1.rds.amazonaws.com
Your security model relies purely on the randomness of the second part (and a little on the first part, but this might be a fixed set of strings like db, database). I just generated two databases in succession and the two unique ID's I got were:
This means that the second part is not even unique, it is probably connected to your AWS account or maybe even the underlying database instance that serves the requests!
I would advice to make the database non-public going forward. You can't rely on security through obscurity.