Cloudanix Joins AWS ISV Accelerate Program

Cloudanix – Your Partner in Cloud Security Excellence

Complete List of AWS RDS Misconfigurations

  • Sujay Maheshwari Sujay Maheshwari

  • Monday, Jul 26, 2021

Amazon RDS manages your cloud and data backup, software patching, automatic failure detection, and recovery, which protects you and your organization from misconfigurations. Amazon Relational Database Service (Amazon RDS) is a web service that allows you to focus on your application and gives them the fast performance, high availability, security, and compatibility they need.
It also helps in setting up, operating, and scaling a relational database in the cloud. For an industry-standard relational database, it provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks.

Complete List of AWS RDS Misconfigurations 2022

Here is a complete list of misconfigurations you can have in AWS RDS in 2022 and how you can avoid them.

AWS RDS Misconfigurations Public Snapshots

To avoid any AWS RDS misconfiguration, ensure that your AWS Relational Database Service (RDS) database snapshots are not publicly accessible. This is to avoid exposing your private data. Such a vulnerability causes security lapses and SLA breaches. Furthermore, compliance standards like NIST,PCI,ARPA, and MAS require you to rectify this misconfiguration.

Cluster Deletion Protection

Another misconfiguration is not protecting your Amazon Aurora databases from accidental deletion. Therefore, you must ensure that Amazon Aurora databases are protected from accidental deletion. This is done by having the Deletion Protection feature enabled at the database cluster level. This makes your application more reliable as this will help avoid downtime and achieve operational excellence.

Log Exports Disabled

Having log exports disabled is another misconfiguration. Amazon RDS sends general, slow query, audit, and error logs from your MySQL, Aurora, and MariaDB databases to AWS CloudWatch Logs. Broadcasting these logs to CloudWatch allows you to maintain continuous visibility into database activity, query performance, and errors within your RDS database instances.

Serverless Log Exports Disabled

Aurora Serverless databases offer the Log Exports feature. You should enable it to publish general logs, slow query logs, audit logs, and error logs to AWS CloudWatch. To avoid any misconfiguration, Aurora Serverless databases should be enabled. It will provide security and reliability to your cloud.

Instance Deletion Protection

Instance deletion can be protected by ensuring you have a deletion protection flag enabled in Amazon RDS. Amazon RDS provides a Deletion Protection Flag, which should be enabled to prevent accidental prevention to the database.

Automated Backups Disabled

Not enabling automated backups is a misconfiguration. You must enable automated backups of your RDS database instances to ensure point-in-time recovery. NIST and APRA compliances require you to maintain automated backups of your RDS database instances.

Default Port

Port obfuscation is an additional layer of defense against non-targeted attacks. To leverage this, ensure that your Amazon RDS database instances do not use their default ports (MySQL/Aurora port 3306, SQL Server port 1433, PostgreSQL port 5432).

Desired Instance Type

Another common AWS RDS misconfiguration is when your RDS instance is not of the desired type. RDS database instances should use instance types from a limited set based on the deployed database workload.

Encryption Disabled

RDS database instances should be encrypted to fulfill compliance requirements for data-at-rest encryption. This will help you comply with GDPR**,** HIPAA**,** PCI**,** APRA**,** MAS**,** and NIST compliance standards. Having this misconfiguration will expose you to data and SLA breaches. If you have this misconfiguration, it should be corrected immediately.

Low Storage Space

This is one of the common AWS RDS Misconguration, You should always free up storage space. Insufficient space on disk drives can cause downtimes and performance degradation. If your RDS databases run low on disk space, they introduce a high risk of hurting your performance and availability.

Instance Counts

AWS account has limited quotas on every service, including RDS. Ensure that the number of RDS database instances provisioned in your AWS account has not reached the limit quota.

Master Username

It is not a good practice to use ‘aws user’ or ‘admin’ as the master username for your database connection. Instead, use a unique alphanumeric username. This will also help you achieve APRA**,** PCI**,** and MAS compliances.

Publicly Accessible

Any public-facing RDS database instances provisioned in your AWS account allow unauthorized access, thereby introducing various security risks. Compliance standards required for this are HIPAA**,** APRA**,** PCI**,** MAS**,** GDPR**,** and NIST.

Backup Retention Duration

A very common misconfiguration is not having a backup policy. As an organization, you should have a backup policy with at least a minimum of 7 days.

Unrestricted In/Outbound Access

If your RDS instance and its security group allow access to everyone by setting 0.0.0.0/0, it invites malicious users to target your database and makes your security posture more vulnerable. This misconfiguration needs to be rectified to avoid security lapses and SLA breaches; and to comply with NIST**,** APRA**,** MAS**,** and PCI.

Public/Private Not Well Defined in Aurora Clusters

Ensure that all the database instances within your Amazon Aurora clusters have the same accessibility (public or private) to follow AWS best practices. Compliance standards required for this are APRA MAS.

Backtrack Disabled

Ensure that the Backtrack feature is enabled for your Amazon Aurora with MySQL compatibility database clusters to backtrack your clusters to a specific time without using backups.

RDS instances not using the Latest Generation of Instance Classes

Ensure that all RDS database instances provisioned within your AWS account use the latest generation of instance classes to get the best performance with lower costs.

Transport Encryption feature Disabled

To avoid misconfiguration, ensure that Microsoft SQL Server and PostgreSQL instances provisioned with Amazon RDS have the Transport Encryption feature enabled to meet security and compliance requirements.

Snapshot Encryption feature Disabled

Ensure that your Amazon Relational Database Service (RDS) snapshots are encrypted to achieve compliance for data-at-rest encryption within your organization.

IAM DB authentication Disabled

Ensure the IAM Database Authentication feature is enabled to use AWS Identity and Access Management (IAM) service to manage database access to your Amazon RDS MySQL and PostgreSQL instances.

Idle RDS instances

Misconfiguration can be avoided by Identifying any Amazon RDS database instances that appear to be idle and deleting them to help lower the cost of your monthly AWS bill. This will help in cost optimization.

Overutilized RDS Instances

Identify any Amazon RDS database instances that appear to be overutilized and upgrade (upsize) them to help handle better the database workload and improve the response time. If you do not upgrade the RDS database, it can decrease the quality of work and response time.

Event Notification Subscriptions Disabled

Not enabling Amazon RDS event notification subscriptions is a misconfiguration. Ensure that Amazon RDS event notification subscriptions are enabled for database instance-level events.

Performance Insights feature Disabled

Your AWS RDS MySQL and PostgreSQL database instances should have the Performance Insights feature enabled to obtain a better overview of the performance of your database.

Auto Minor Version Upgrade flag Disabled

Your RDS database instances should have the Auto Minor Version Upgrade flag enabled to automatically receive minor engine upgrades during the specified maintenance window. If you do not have this, there is a risk of having security lapses.

Not Using Copy Tags to Snapshots feature

Ensure that RDS instances use the Copy Tags to Snapshots feature to allow tags set on database instances to be automatically copied to any automated or manual RDS snapshots created from these instances.

Event Notifications must be enabled

Misconfiguration can be avoided by ensuring that your AWS RDS resources have event notifications enabled to be notified when an event occurs for a given database instance, database snapshot, database security group, or parameter group.

Not Using General Purpose SSDs instead of IOPS SSDs

Ensure that your RDS instances use General Purpose SSDs instead of Provisioned IOPS SSDs for cost-effective storage that fits a broad range of database workloads.

Use customer-managed keys instead of AWS-managed keys

Ensure that your RDS database instances use KMS CMK customer-managed keys rather than AWS-managed keys to having more granular control over your data-at-rest encryption/decryption process.

RDS DB Instances must not be provisioned in VPC Public Subnets

To avoid misconfiguration, ensure that no AWS RDS database instances are provisioned inside VPC public subnets to protect them from direct exposure to the Internet. This will also ensure the security of the AWS RDS database.

Use Multi-AZ Deployment for RDS

Not using Multi-AZ deployment configurations is a misconfiguration. Ensure that your RDS clusters use Multi-AZ deployment configurations for high availability and automatic failover support fully managed by AWS.

Renew RDS Reserved Instances before expiration (7 days)

Ensure that your AWS RDS Reserved Instances (RIs) are renewed before expiration to get the appropriate discount on the hourly charge for these instances.

Identify failed RDS RI Instances

Identify any failed RDS Reserved Instances (RIs) available within your AWS account. A failed RDS RI is an unsuccessful reservation that received the “payment-failed” status during the purchase process.

Pending RDS RI Purchases

The next common misconfiguration is not keeping track of your pending RDS RI purchases. Identify any pending RDS Reserved Instance (RI) purchases available within your AWS account. A payment-pending RDS RI purchase is a reservation purchase that cannot be fully processed due to issues with the payment method.

Review purchases every 7 days

All Amazon RDS Reserved Instance (RI) purchases should be reviewed every 7 days to confirm that no unwanted reservation purchase has been placed recently.

Security Groups Events Subscriptions Disabled

Ensure that Amazon RDS event notification subscriptions are enabled for database security group events. AWS RDS groups these events into categories that you can subscribe to. Compliance standards required by this are APRA**,** MAS**,** and NIST.

Underutilized RDS Instances

Another AWS RDS Misconfiguration is not resizing underutilized Amazon RDS databases. Identify any Amazon RDS database instances that appear to be underutilized and downsize (resize) them to help lower the cost of your monthly AWS bill.

Ensure RDS RIs have corresponding DB Instances

Check that all your AWS RDS Reserved Instances (RI) have corresponding database instances running within the same account or within any AWS accounts members of an AWS Organization.

Integrate Amazon Backup with Amazon RDS

Ensuring that Amazon Backup is integrated with Amazon Relational Database Service (RDS) to manage RDS database instance snapshots and improve the reliability of your backup strategy can help you avoid misconfigurations.

How can Cloudanix help?

RDS Misconfigurations issues are not new. It is the largest issue faced by many organizations for years. It is essential to understand what they are and why acting on them immediately is necessary. Cloudanix provides you with a recipe for best practices for RDS that helps audit your AWS account for these misconfigurations and more! We also help you remediate these misconfigurations in an automated way!

Automation First Security

Misconfigurations, Container Security, Attack Paths, Identity Management, Secrets Detection - All In One Place

People Also Read

What Our Users Are Saying

Customer Reviews

Cloudanix is trusted by security leaders worldwide to deliver proactive, reliable, and cutting-edge cloud security.

One day, I changed the password of a root account, and my CTO called me within less than a minute to confirm if I did so. I was not expecting a reaction this quick. He told me Cloudanix alerted him of this password change and that he wanted to confirm as it was a critical security notification. I couldn't believe it!

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Compliance is one way of staying secure, but what I want is the ability to go deeper and attain 'true security.' Cloudanix provides us the capability to do so.

Vishal Madan
Vishal Madan
Head of Engineering, iMocha

Cloudanix is building for the future of the cloud, which makes the product all the more desirable.

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Cloudanix gave us the visibility we were missing. Being able to move from permanent access to a robust Just-In-Time (JIT) workflow has fundamentally changed our security posture without slowing down our engineering velocity.

Pavan Kumar Lekkala
Pavan Kumar Lekkala
SRE Lead, HugoHub

We are excited to leverage Cloudanix's comprehensive multi-cloud DevSecOps solution to secure our production workloads on AWS. Cloudanix has demonstrated that it can solve many challenges that DevSecOps teams face while continually adding new features such as SOC2 compliance and drift detection.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Managing third-party partner access was once a major concern for our security posture. With Cloudanix JIT Cloud, we've effectively achieved zero third-party risk. We can now grant access confidently, knowing that it is temporary, audited, and automatically revoked, resulting in a 100% reduction in our privileged access exposure.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

The snooze feature and responsible alerts have helped us save time and prioritize what to tackle first.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Implementing Cloudanix JIT internally allowed us to practice what we preach. By eliminating permanent access to our own clouds and databases, we've neutralized the risk of standing privileges, ensuring our own 'keys to the kingdom' are never left exposed.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

The problem with permissions is a lot of times, the gaps are left open due to oversights from inside the organization itself. With Cloudanix's CIEM, we get a complete view of user permissions and access. This enables us to update the permissions, reducing the attack surface.

Nilesh Pethani
Nilesh Pethani
Application Architect, iMocha

In the world of Fintech, trust is our currency. Cloudanix provided the frictionless visibility we needed to secure our EKS workloads across AWS, ensuring we stay audit-ready for SOC2 and GDPR without slowing down our engineering velocity.

Amol Naik
Amol Naik
Head of Security & Infrastructure, HugoHub

Cloudanix delivered value within 5 minutes of onboarding. Continuous monitoring, timely detection, and excellent documentation helped us attain a great cloud security posture.

Divyanshu Shukla
Senior DevSecOps, Meesho

Technology strategies and business strategies are in a state of constant change which includes centralization and decentralization of responsibilities. Regardless of strategic shift, we still have intellectual property to protect. Cloudanix are critical partners for us in our public cloud security posture across our three cloud providers.

Jerry Locke
Jerry Locke
Senior Director Global Solutions Engineering, Eversana

Cloudanix has been amazing. They opened up a common Slack channel with us — and it feels like we are talking to our own team and getting things done with Cloud security. The support team is always available, friendly, helpful, and ready to go out of their way.

Satish Mohan
Satish Mohan
CTO, Airgap Networks

Beyond just access management, Cloudanix CSPM has given us a unified view of our AWS environment. The real-time alerting and anomaly detection allow us to prevent any untoward activity before it happens, which is critical for a marketplace connecting 50+ financial institutions.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

For a Fintech company, data is our most valuable — and most sensitive — asset. Cloudanix DAM hasn't just improved our visibility; it has given us control. The ability to mask data and prevent unauthorized queries in real-time is a game-changer for our compliance and customer trust.

Jiten Gala
Jiten Gala
President Engineering and Product, Kapittx

Our clients, especially in the Middle East financial sector, demand absolute accountability. Cloudanix JIT Cloud has been a competitive differentiator for us, allowing us to provide secure, governed access to customer accounts that meet their strictest audit and compliance requirements.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

Cloudanix is always on my team's lips because of its exceptional support. Be it a small or big query, Cloudanix has gone above and beyond to resolve them. This one's a keeper for us.

Sujit Karpe
Sujit Karpe
CTO, iMocha

For a long-lasting partnership, great support goes a long way. Cloudanix has delivered exceptional support whenever required. Their edge is their team is always ready to go beyond to solve any issues that we have. This speaks volumes about the culture at Cloudanix.

Akash Maheshwari
Akash Maheshwari
Co-founder, MoveInSync

Beyond the technology, Cloudanix feels like an extension of our own team. Their willingness to stand up a dedicated Middle East tenant for us and provide exceptional support at a sensible price makes them a long-term partner for Hugosave.

Surya Tamada
Surya Tamada
CTO, HugoHub

The real-time notifications that Cloudanix provides are a real lifesaver. Their adaptive notifications ensure that my team stays productive and doesn't get interrupted all the time.

Digvijay Singh
Staff Security Engineer, Meesho

The whole point in technological evolution is to help improve the world we live in. We must protect that and to do so requires an effective and efficient security strategy. The Cloudanix team helped make our public cloud security posture management strategy a reality. The symbiotic relationship we have allows for a continuous feedback loop which is how business should operate.

Larry Wheat
Larry Wheat
Staff Solutions Engineer, Eversana

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo