AWS RDS Audit

Your data needs highest level of protection. Cloudanix can you help with that!

What we do?

Public Snapshots

Ensure that your AWS Relational Database Service (RDS) database snapshots are not publicly accessible. This is to avoid exposing your private data.

Addresses: Security

Additional Reading:

Cluster Deletion Protection

Ensure that Amazon Aurora databases are protected from accidental deletion. This is done by having Deletion Protection feature enabled at the database cluster level.

Addresses: Operational Maturity, Reliability

Additional Reading:

Log Exports Enabled

Amazon RDS sends general, slow query, audit and error logs from your MySQL, Aurora and MariaDB databases to AWS CloudWatch Logs. Broadcasting these logs to CloudWatch allows you to maintain continuous visibility into database activity, query performance and errors within your RDS database instances.

Addresses: Security, Reliability, Operational Maturity

Additional Reading:

Serverless Log Exports Enabled

Aurora Serverless databases offer Log Exports feature. Enable it in order to publish general logs, slow query logs, audit logs and error logs to AWS CloudWatch.

Addresses: Security, Reliability, Operational Maturity

Additional Reading:

Instance Deletion Protection

Amazon RDS provides a Deletion Protection Flag which should be enabled to prevent accidental prevention of the database.

Addresses: Security, Operational Maturity, Reliability

Additional Reading:

Automated Backups Enabled

Enable automated backups of your RDS database instances to ensure point-in-time recovery.

Addresses: Reliability, Operational Maturity

Additional Reading:

Default Port

Port obfuscation is as an additional layer of defense against non-targeted attacks. In order to leverage this, ensure that your Amazon RDS databases instances do not use their default ports (MySQL/Aurora port 3306, SQL Server port 1433, PostgreSQL port 5432)

Addresses: Security

Additional Reading:

Desired Instance Type

It is recommended that RDS database instances use instance types from a limited set based on the database workload deployed.

Addresses: Reliability, Operational Maturity

Additional Reading:

Encryption Enabled

RDS database instances should be encrypted to fulfill compliance requirements for data-at-rest encryption.

Addresses: Security

Additional Reading:

Free Storage Space

If your RDS databases are running low on disk space, they introduce a high risk of hurting your performance and availability.

Addresses: Reliability, Operational Maturity

Additional Reading:

Instance Counts

AWS account has Limit Quotas on every service including RDS. Ensure that the number of RDS database instances provisioned in your AWS account has not reached the limit quota.

Addresses: Security

Additional Reading:

Master Username

It is not a good practice to use awsuser or admin as master username for your database connection. Instead, use unique alphanumeric username.

Addresses: Security

Additional Reading:

Publicly Accessible

Any public facing RDS database instances provisioned in your AWS account and restrict unauthorized access in order to minimise security risks.

Addresses: Security

Additional Reading:

Backup Retention Duration

As an organization you should have a backup policy with atleast minimum 7 days.

Addresses: Reliability, Operational Maturity

Additional Reading:

Unrestricted In/Outbound Access

If your RDS instance and it's security group allows access to everyone by setting 0.0.0.0/0, then it invites malicious users to target your database and make your security posture more vulnerable.

Addresses: Security

Additional Reading:

Public/Private well defined in Aurora Clusters

Ensure that all the database instances within your Amazon Aurora clusters have the same accessibility (either public or private) in order to follow AWS best practices.

Addresses: Reliability

Backtrack must be enabled

Ensure that Backtrack feature is enabled for your Amazon Aurora with MySQL compatibility database clusters in order to backtrack your clusters to a specific time, without using backups

Addresses: Reliability

All DB instances must use latest generation of instance classes

Ensure that all RDS databases instances provisioned within your AWS account are using the latest generation of instance classes in order to get the best performance with lower costs.

Addresses: Performance Efficiency, Cost Optimisation

Transport Encryption feature must be enabled

Ensure that Microsoft SQL Server and PostgreSQL instances provisioned with Amazon RDS have Transport Encryption feature enabled in order to meet security and compliance requirements

Addresses: Security

Snapshot Encryption feature must be enabled

Ensure that your Amazon Relational Database Service (RDS) snapshots are encrypted in order to achieve compliance for data-at-rest encryption within your organization

Addresses: Security

Ensure IAM DB authentication is enabled

Ensure IAM Database Authentication feature is enabled in order to use AWS Identity and Access Management (IAM) service to manage database access to your Amazon RDS MySQL and PostgreSQL instances

Addresses: Security

Identify Idle RDS instances

Identify any Amazon RDS database instances that appear to be idle and delete them to help lower the cost of your monthly AWS bill

Addresses: Cost Optimisation

Event Notification Subscriptions must be enabled

Ensure that Amazon RDS event notification subscriptions are enabled for database instance level events

Addresses: Reliability, Performance Efficiency, Operational Excellence

Identify overutilized RDS Instances

Identify any Amazon RDS database instances that appear to be overutilized and upgrade (upsize) them to help handle better the database workload and improve the response time

Addresses: Performance Efficiency

Performance Insights feature must be enabled

Ensure that your AWS RDS MySQL and PostgreSQL database instances have Performance Insights feature enabled in order to allow you to obtain a better overview of your databases performance

Addresses: Reliability, Performance Efficiency, Operational Excellence

Enable Auto Minor Version Upgrade flag

Ensure that your RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window

Addresses: Security

Use Copy Tags to Snapshots feature

Ensure that RDS instances make use of Copy Tags to Snapshots feature in order to allow tags set on database instances to be automatically copied to any automated or manual RDS snapshots that are created from these instances

Addresses: Cost Optimisation

Use customer-managed keys instead of AWS-managed keys

Ensure that your RDS database instances are using KMS CMK customer-managed keys rather than AWS managed-keys in order to have more granular control over your data-at-rest encryption/decryption process.

Addresses: Security

Event Notifications must be enabled

Ensure that your AWS RDS resources have event notifications enabled in order to be notified when an event occurs for a given database instance, database snapshot, database security group or database parameter group

Addresses: Reliability, Performance Efficiency, Operational Excellence

Use General Purpose SSDs instead of IOPS SSDs

Ensure that your RDS instances are using General Purpose SSDs instead of Provisioned IOPS SSDs for cost-effective storage that fits a broad range of database workloads

Addresses: Cost Optimisation

RDS DB Instances must not be provisioned in VPC Public Subnets

Ensure that no AWS RDS database instances are provisioned inside VPC public subnets in order to protect them from direct exposure to the Internet

Addresses: Security

Use Multi-AZ Deployment for RDS

Ensure that your RDS clusters are using Multi-AZ deployment configurations for high availability and automatic failover support fully managed by AWS.

Addresses: Reliability

Renew RDS Reserved Instances before expiration (30 days)

Ensure that your AWS RDS Reserved Instances (RIs) are renewed before expiration in order to get the appropriate discount on the hourly charge for these instances

Addresses: Cost Optimisation

Renew RDS Reserved Instances before expiration (7 days)

Ensure that your AWS RDS Reserved Instances (RIs) are renewed before expiration in order to get the appropriate discount on the hourly charge for these instances

Addresses: Cost Optimisation

Identify failed RDS RI Instances

Identify any failed RDS Reserved Instances (RIs) available within your AWS account. A failed RDS RI is an unsuccessful reservation that received the "payment-failed" status during the purchase process.

Addresses: Cost Optimisation

Identify Pending RDS RI Purchases

Identify any pending RDS Reserved Instance (RI) purchases available within your AWS account. A payment-pending RDS RI purchase is a reservation purchase that cannot be fully processed due to issues with the payment method

Addresses: Cost Optimisation

Review purchases every 7 days

Ensure that all Amazon RDS Reserved Instance (RI) purchases are reviewed every 7 days in order to confirm that no unwanted reservation purchase has been placed recently.

Addresses: Cost Optimisation

Enable Security Groups Events Subscriptions

Ensure that Amazon RDS event notification subscriptions are enabled for database security groups events. AWS RDS groups these events into categories that you can subscribe to.

Addresses: Reliability, Performance Efficiency, Operational Excellence

Identify RDS Instances which are underutilized

dentify any Amazon RDS database instances that appear to be underutilized and downsize (resize) them to help lower the cost of your monthly AWS bill

Addresses: Cost Optimisation

Ensure RDS RIs have corresponding DB Instances

Ensure that all your AWS RDS Reserved Instances (RI) have corresponding database instances running within the same account or within any AWS accounts members of an AWS Organization

Addresses: Cost Optimisation

Integrate Amazon Backup with Amazon RDS

Ensure that Amazon Backup is integrated with Amazon Relational Database Service (RDS) in order to manage RDS database instance snapshots and improve the reliability of your backup strategy.

Addresses: Reliability