Amazon RDS manages your cloud and data backup, software patching, automatic failure detection, and recovery, which protects you and your organization from misconfigurations. Amazon Relational Database Service (Amazon RDS) is a web service that allows you to focus on your application and gives them the fast performance, high availability, security, and compatibility they need.
It also helps in setting up, operating, and scaling a relational database in the cloud. For an industry-standard relational database, it provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks.
List of AWS RDS Misconfigurations
Here is a complete list of misconfigurations you can have in AWS RDS in 2021 and how you can avoid them.
- Public Snapshots
To avoid any AWS RDS misconfiguration, ensure that your AWS Relational Database Service (RDS) database snapshots are not publicly accessible. This is to avoid exposing your private data. Such a vulnerability causes security lapses and SLA breaches. Furthermore, compliance standards like NIST, PCI, ARPA, and MAS require you to rectify this misconfiguration.
- Cluster Deletion Protection
Another misconfiguration is not protecting your Amazon Aurora databases from accidental deletion. Therefore, you must ensure that Amazon Aurora databases are protected from accidental deletion. This is done by having the Deletion Protection feature enabled at the database cluster level. This makes your application more reliable as this will help avoid downtime and achieve operational excellence.
- Log Exports Disabled
Having log exports disabled is another misconfiguration. Amazon RDS sends general, slow query, audit, and error logs from your MySQL, Aurora, and MariaDB databases to AWS CloudWatch Logs. Broadcasting these logs to CloudWatch allows you to maintain continuous visibility into database activity, query performance, and errors within your RDS database instances.
- Serverless Log Exports Disabled
Aurora Serverless databases offer the Log Exports feature. You should enable it to publish general logs, slow query logs, audit logs, and error logs to AWS CloudWatch. To avoid any misconfiguration, Aurora Serverless databases should be enabled. It will provide security and reliability to your cloud.
- Instance Deletion Protection
Instance deletion can be protected by ensuring you have a deletion protection flag enabled in Amazon RDS. Amazon RDS provides a Deletion Protection Flag, which should be enabled to prevent accidental prevention of the database.
- Automated Backups Disabled
Not enabling automated backups is a misconfiguration. You must enable automated backups of your RDS database instances to ensure point-in-time recovery. NIST and ARPA compliances require you to maintain automated backups of your RDS database instances.
- Default Port
Port obfuscation is an additional layer of defense against non-targeted attacks. To leverage this, ensure that your Amazon RDS database instances do not use their default ports (MySQL/Aurora port 3306, SQL Server port 1433, PostgreSQL port 5432).
- Desired Instance Type
Another common misconfiguration is when your RDS instance is not of the desired type. RDS database instances should use instance types from a limited set based on the deployed database workload.
- Encryption Disabled
RDS database instances should be encrypted to fulfill compliance requirements for data-at-rest encryption. This will help you comply with GDPR, HIPAA, PCI, APRA, MAS, and NIST compliance standards. Having this misconfiguration will expose you to data and SLA breaches. If you have this misconfiguration, it should be corrected immediately.
- Low Storage Space
You should always free up storage space. Insufficient space on disk drives can cause downtimes and performance degradation. If your RDS databases run low on disk space, they introduce a high risk of hurting your performance and availability.
- Instance Counts
AWS account has limited quotas on every service, including RDS. Ensure that the number of RDS database instances provisioned in your AWS account has not reached the limit quota.
- Master Username
It is not a good practice to use ‘aws user’ or ‘admin’ as the master username for your database connection. Instead, use a unique alphanumeric username. This will also help you achieve APRA, PCI, and MAS compliances.
- Publicly Accessible
Any public-facing RDS database instances provisioned in your AWS account allows unauthorized access, thereby introducing various security risks. Compliance standards required for this are HIPAA, APRA, PCI, MAS, GDPR, NIST.
- Backup Retention Duration
A very common misconfiguration is not having a backup policy. As an organization, you should have a backup policy with at least a minimum of 7 days.
- Unrestricted In/Outbound Access
If your RDS instance and its security group allow access to everyone by setting 0.0.0.0/0, it invites malicious users to target your database and makes your security posture more vulnerable. This misconfiguration needs to be rectified to avoid security lapses and SLA breaches; and comply with NIST, APRA, MAS, and PCI.
- Public/Private Not Well Defined in Aurora Clusters
Ensure that all the database instances within your Amazon Aurora clusters have the same accessibility (public or private) to follow AWS best practices. Compliance standards required for this are APRA MAS.
- Backtrack Disabled
Ensure that the Backtrack feature is enabled for your Amazon Aurora with MySQL compatibility database clusters to backtrack your clusters to a specific time without using backups.
- RDS instances not using Latest Generation of Instance Classes
Ensure that all RDS database instances provisioned within your AWS account use the latest generation of instance classes to get the best performance with lower costs.
- Transport Encryption feature Disabled
To avoid misconfiguration, ensure that Microsoft SQL Server and PostgreSQL instances provisioned with Amazon RDS have Transport Encryption feature enabled to meet security and compliance requirements.
- Snapshot Encryption feature Disabled
Ensure that your Amazon Relational Database Service (RDS) snapshots are encrypted to achieve compliance for data-at-rest encryption within your organization.
- IAM DB authentication Disabled
Ensure the IAM Database Authentication feature is enabled to use AWS Identity and Access Management (IAM) service to manage database access to your Amazon RDS MySQL and PostgreSQL instances.
- Idle RDS instances
Misconfiguration can be avoided by Identifying any Amazon RDS database instances that appear to be idle and delete them to help lower the cost of your monthly AWS bill. This will help in cost optimization.
- Overutilized RDS Instances
Identify any Amazon RDS database instances that appear to be overutilized and upgrade (upsize) them to help handle better the database workload and improve the response time. If you do not upgrade the RDS database, it can decrease the quality of work and response time.
- Event Notification Subscriptions Disabled
Not enabling Amazon RDS event notification subscriptions is a misconfiguration. Ensure that Amazon RDS event notification subscriptions are enabled for database instance-level events.
- Performance Insights feature Disabled
Your AWS RDS MySQL and PostgreSQL database instances should have the Performance Insights feature enabled to obtain a better overview of the performance of your database.
- Auto Minor Version Upgrade flag Disabled
Your RDS database instances should have the Auto Minor Version Upgrade flag enabled to automatically receive minor engine upgrades during the specified maintenance window. If you do not have this, there is a risk of having security lapses.
- Not Using Copy Tags to Snapshots feature
Ensure that RDS instances use the Copy Tags to Snapshots feature to allow tags set on database instances to be automatically copied to any automated or manual RDS snapshots created from these instances.
- Event Notifications must be enabled
Misconfiguration can be avoided by ensuring that your AWS RDS resources have event notifications enabled to be notified when an event occurs for a given database instance, database snapshot, database security group, or parameter group.
- Not Using General Purpose SSDs instead of IOPS SSDs
Ensure that your RDS instances use General Purpose SSDs instead of Provisioned IOPS SSDs for cost-effective storage that fits a broad range of database workloads.
- Use customer-managed keys instead of AWS-managed keys
Ensure that your RDS database instances use KMS CMK customer-managed keys rather than AWS-managed keys to have more granular control over your data-at-rest encryption/decryption process.
- RDS DB Instances must not be provisioned in VPC Public Subnets
To avoid misconfiguration, ensure that no AWS RDS database instances are provisioned inside VPC public subnets to protect them from direct exposure to the Internet. This will also ensure the security of the AWS RDS database.
- Use Multi-AZ Deployment for RDS
Not using Multi-AZ deployment configurations is a misconfiguration. Ensure that your RDS clusters use Multi-AZ deployment configurations for high availability and automatic failover support fully managed by AWS.
- Renew RDS Reserved Instances before expiration (7 days)
Ensure that your AWS RDS Reserved Instances (RIs) are renewed before expiration to get the appropriate discount on the hourly charge for these instances.
- Identify failed RDS RI Instances
Identify any failed RDS Reserved Instances (RIs) available within your AWS account. A failed RDS RI is an unsuccessful reservation that received the “payment-failed” status during the purchase process.
- Pending RDS RI Purchases
The next common misconfiguration is not keeping track of your pending RDS RI purchases. Identify any pending RDS Reserved Instance (RI) purchases available within your AWS account. A payment-pending RDS RI purchase is a reservation purchase that cannot be fully processed due to issues with the payment method.
- Review purchases every 7 days
All Amazon RDS Reserved Instance (RI) purchases should be reviewed every 7 days to confirm that no unwanted reservation purchase has been placed recently.
- Security Groups Events Subscriptions Disabled
Ensure that Amazon RDS event notification subscriptions are enabled for database security group events. AWS RDS groups these events into categories that you can subscribe to. Compliance standards required by this are APRA, MAS, NIST.
- Underutilized RDS Instances
Another misconfiguration is not resizing underutilized Amazon RDS databases. Identify any Amazon RDS database instances that appear to be underutilized and downsize (resize) them to help lower the cost of your monthly AWS bill.
- Ensure RDS RIs have corresponding DB Instances
Check that all your AWS RDS Reserved Instances (RI) have corresponding database instances running within the same account or within any AWS accounts members of an AWS Organization.
- Integrate Amazon Backup with Amazon RDS
Ensuring that Amazon Backup is integrated with Amazon Relational Database Service (RDS) to manage RDS database instance snapshots and improve the reliability of your backup strategy can help you avoid misconfigurations.
How Can Cloudanix Help?
RDS Misconfigurations issues are not new. It is the largest issue faced by organizations for years. It is essential to understand what they are and why acting on them immediately is necessary. Cloudanix provides you with a recipe for best practices for RDS that helps audits your AWS account for these misconfigurations and more! We also help you remediate these misconfigurations in an automated way! What’s more? You can sign up for a free trial here today!