AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS

Cloudanix

AWS RDS Audit

Your AWS Relational Database Service (RDS) database snapshots should not be publicly accessible. This is to avoid exposing your private data.

RDS Database Snapshots Should Not Be Public

Your AWS Relational Database Service (RDS) database snapshots should not be publicly accessible. This is to avoid exposing your private data.

Cluster Deletion Protection Should Be Enabled

Amazon Aurora databases should be protected from accidental deletion. This is done by having Deletion Protection feature enabled at the database cluster level.

Log Exports Should Be Enabled

Amazon RDS sends general, slow query, audit and error logs from your MySQL, Aurora and MariaDB databases to AWS CloudWatch Logs. Broadcasting these logs to CloudWatch allows you to maintain continuous visibility into database activity, query performance and errors within your RDS database instances.

Serverless Log Exports Should Be Enabled

Aurora Serverless databases should have Log Exports feature enabled in order to publish general logs, slow query logs, audit logs and error logs to AWS CloudWatch.

Instance Deletion Protection Should Be Enabled

Amazon RDS provides a Deletion Protection Flag which should be enabled to prevent accidental prevention of the database.

Automated Backups Should Be Enabled

Automated backups of your RDS database instances should be enabled to ensure point-in-time recovery.

RDS Database Instances Should Not Use Default Ports

Port obfuscation is as an additional layer of defense against non-targeted attacks. In order to leverage this, your Amazon RDS databases instances should not use their default ports (MySQL/Aurora port 3306, SQL Server port 1433, PostgreSQL port 5432)

RDS Instance Should Be of Desired Type

It is recommended that RDS database instances use instance types from a limited set based on the database workload deployed.

RDS Instances Should Have Encryption Enabled

RDS database instances should be encrypted to fulfill compliance requirements for data-at-rest encryption.

RDS Databases Should Have Free Storage Space

If your RDS databases are running low on disk space, they introduce a high risk of hurting your performance and availability.

RDS Instance Count Should Not Exceed Limit

AWS account has Limit Quotas on every service including RDS. The number of RDS database instances provisioned in your AWS account should not have reached the limit quota.

Master Username Should Be Unique

It is not a good practice to use awsuser or admin as master username for your database connection. Instead, use unique alphanumeric username.

RDS Instances Should Not Be Publicly Accessible

RDS database instances provisioned in your AWS account should not be publicly accessible and should instead restrict unauthorized access in order to minimise security risks.

Backup Retention Duration Should Be Present

As an organization you should have a backup policy with atleast minimum 7 days.

RDS Instances Should Not Allow Unrestricted In/Outbound Access

If your RDS instance and it's security group allows access to everyone by setting 0.0.0.0/0, then it invites malicious users to target your database and make your security posture more vulnerable.

Accessibility Should Be Well-defined in Aurora Clusters

All the database instances within your Amazon Aurora clusters should have the same accessibility (either public or private) in order to follow AWS best practices.

Backtrack Feature Should Be Enabled

Backtrack feature should be enabled for your Amazon Aurora with MySQL compatibility database clusters in order to backtrack your clusters to a specific time, without using backups

RDB Instances Should Use Latest Generation of Instance Classes

All RDS databases instances provisioned within your AWS account should be using the latest generation of instance classes in order to get the best performance with lower costs.

Transport Encryption Feature Should Be Enabled

Microsoft SQL Server and PostgreSQL instances provisioned with Amazon RDS should have Transport Encryption feature enabled in order to meet security and compliance requirements

Snapshot Encryption Feature Should Be Enabled

Your Amazon Relational Database Service (RDS) snapshots should be encrypted in order to achieve compliance for data-at-rest encryption within your organization

IAM DB authentication Should Be Enabled

IAM Database Authentication feature should be enabled in order to use AWS Identity and Access Management (IAM) service to manage database access to your Amazon RDS MySQL and PostgreSQL instances

RDS instances Should Not Be Idle

Identify any Amazon RDS database instances that appear to be idle and delete them to help lower the cost of your monthly AWS bill

Event Notification Subscriptions Should Be Enabled

Amazon RDS event notification subscriptions should be enabled for database instance level events.

RDS Instances Should Not Be Overutilized

Identify any Amazon RDS database instances that appear to be overutilized and upgrade (upsize) them to help handle better the database workload and improve the response time

Performance Insights Feature Should Be Enabled

Your AWS RDS MySQL and PostgreSQL database instances should have Performance Insights feature enabled in order to allow you to obtain a better overview of your databases performance

Auto Minor Version Upgrade flag Should Be Enabled

Your RDS database instances should have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window

RDS Instances Should Make Use of Copy Tags

RDS instances should make use of Copy Tags to Snapshots feature in order to allow tags set on database instances to be automatically copied to any automated or manual RDS snapshots that are created from these instances

Use Customer-Managed Keys instead of AWS-managed Keys

Your RDS database instances should be using KMS CMK customer-managed keys rather than AWS managed-keys in order to have more granular control over your data-at-rest encryption/decryption process.

Event Notifications Should Be Enabled

Your AWS RDS resources should have event notifications enabled in order to be notified when an event occurs for a given database instance, database snapshot, database security group or database parameter group

General Purpose SSDs Should Be Used Instead of IOPS SSDs

Your RDS instances should be using General Purpose SSDs instead of Provisioned IOPS SSDs for cost-effective storage that fits a broad range of database workloads

RDS DB Instances Should Not Be Provisioned in VPC Public Subnets

No AWS RDS database instances should be provisioned inside VPC public subnets in order to protect them from direct exposure to the Internet

Multi-AZ Deployment Should Be Used

Your RDS clusters should be using Multi-AZ deployment configurations for high availability and automatic failover support fully managed by AWS.

Renew RDS Reserved Instances Before Expiration (30 days)

Your AWS RDS Reserved Instances (RIs) should be renewed before expiration in order to get the appropriate discount on the hourly charge for these instances

Renew RDS Reserved Instances Before Expiration (7 days)

Your AWS RDS Reserved Instances (RIs) should be renewed before expiration in order to get the appropriate discount on the hourly charge for these instances

RDS Reserved Instances Should Not Have Status - Payment Failed

Identify any failed RDS Reserved Instances (RIs) available within your AWS account. A failed RDS RI is an unsuccessful reservation that received the "payment-failed" status during the purchase process.

RDS Reserved Instances Should Not Have Status - Payment Pending

Identify any pending RDS Reserved Instance (RI) purchases available within your AWS account. A payment-pending RDS RI purchase is a reservation purchase that cannot be fully processed due to issues with the payment method

RDS Reserved Instances Purchases Should Be Reviewed Every 7 Days

All Amazon RDS Reserved Instance (RI) purchases are reviewed every 7 days in order to confirm that no unwanted reservation purchase has been placed recently.

Security Groups Events Subscriptions Should Be Enabled

Amazon RDS event notification subscriptions should be enabled for database security groups events. AWS RDS groups these events into categories that you can subscribe to.

RDS Instances Should Not Be Underutilized

Identify any Amazon RDS database instances that appear to be underutilized and downsize (resize) them to help lower the cost of your monthly AWS bill

RDS RIs Should Have A Corresponding DB Instances

All your AWS RDS Reserved Instances (RI) should have corresponding database instances running within the same account or within any AWS accounts members of an AWS Organization

Amazon Backup Should Be Integrated with Amazon RDS

Amazon Backup should be integrated with Amazon Relational Database Service (RDS) in order to manage RDS database instance snapshots and improve the reliability of your backup strategy.

cta-image

Secure Every Layer of Your Cloud Stack with Cloudanix

Unify your security workflows with Cloudanix — one dashboard for misconfigurations, drift detection, CI/CD, and identity protection.

Get Started

CLOUDANIX

Insights from Cloudanix

Explore guides, checklists, and blogs that simplify cloud security and help you secure your infrastructure.