AWS RDS Cluster

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes
AWS Security Best Practices
There are number of security considerations when using AWS RDS Instances or Clusters. One key consideration is to use AWS Identity and Access Management (IAM) accounts to control access to Amazon RDS API operations, especially operations that create, modify, or delete Amazon RDSresources. Such resources include DB instances, security groups, and parameter groups. Ensure that IAM is also used to control actions that perform common administrative actions such as backing up and restoring DB instances.
Create an individual IAM user for each person who manages Amazon RDS resources, including yourself. Don't use AWS root credentials to manage Amazon RDS resources.
Grant each user the minimum set of permissions required to perform his or her duties.
Use IAM groups to effectively manage permissions for multiple users.
Rotate your IAM credentials regularly.
Configure AWS Secrets Manager to automatically rotate the secrets for Amazon RDS. You can also retrieve the credential from AWS Secrets Manager programmatically. For more information, see Retrieving the secret value in the AWS Secrets Manager User Guide.
For more guidance on securing AWS RDS, look at oak9's security bluerprint for RDS.
Utilize Role-based Access Control
Design Guidance:
Identity and access management for Amazon RDS - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBCluster
Associated Roles-Feature Name
​Cloud Formation​
​Terraform​
Associated Roles-Role Arn
​Cloud Formation​
​Terraform​
AWS::RDS::DBProxy
Role Arn
​Cloud Formation​
​Terraform​
​
Design for High Availability
Design Guidance:
Regions, Availability Zones, and Local Zones - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBCluster
Availability Zones
​Cloud Formation​
​Terraform​
Deletion Protection
​Cloud Formation​
​Terraform​
Scaling Configuration-Auto Pause
​Cloud Formation​
​Terraform​
Scaling Configuration-Max Capacity
​Cloud Formation​
​Terraform​
Scaling Configuration-Min Capacity
​Cloud Formation​
​Terraform​
Scaling Configuration-Seconds Until Auto Pause
​Cloud Formation​
​Terraform​
​
Data Retention
AWS::RDS::DBCluster
Backup Retention Period
​Cloud Formation​
​Terraform​
​
Asset Inventory
Design Guidance:
Tagging Amazon RDS resources - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBCluster
Dbcluster Identifier
​Cloud Formation​
​Terraform​
Database Name
​Cloud Formation​
​Terraform​
Tags
​Cloud Formation​
​Terraform​
AWS::RDS::DBClusterParameterGroup
Tags
​Cloud Formation​
​Terraform​
AWS::RDS::DBProxy
Tags
​Cloud Formation​
​Terraform​
AWS::RDS::DBSecurityGroup
Tags
​Cloud Formation​
​Terraform​
AWS::RDS::DBSubnetGroup
Tags
​Cloud Formation​
​Terraform​
AWS::RDS::OptionGroup
Engine Name
​Cloud Formation​
​Terraform​
Tags
​Cloud Formation​
​Terraform​
​
Hardening
Design Guidance:
Working with parameter groups - Amazon Relational Database Service
Amazon Relational Database Service
Working with option groups - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBCluster
Dbcluster Parameter Group Name
​Cloud Formation​
​Terraform​
Engine Mode
​Cloud Formation​
​Terraform​
Engine Version
​Cloud Formation​
​Terraform​
AWS::RDS::DBClusterParameterGroup
Family
​Cloud Formation​
​Terraform​
Parameters
​Cloud Formation​
​Terraform​
AWS::RDS::OptionGroup
Major Engine Version
​Cloud Formation​
​Terraform​
Option Configurations-Option Name
​Cloud Formation​
​Terraform​
Option Settings-Name
​Cloud Formation​
​Terraform​
Option Settings-Value
​Cloud Formation​
​Terraform​
Option Configurations-Option Version
​Cloud Formation​
​Terraform​
​
Subnet Isolation
Design Guidance:
Amazon Virtual Private Cloud VPCs and Amazon RDS - Amazon Relational Database Service
Amazon Relational Database Service
Using Amazon RDS Proxy - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBCluster
Dbsubnet Group Name
​Cloud Formation​
​Terraform​
AWS::RDS::DBProxy
VPC Subnet Ids
​Cloud Formation​
​Terraform​
AWS::RDS::DBSecurityGroup
EC2VPC Id
​Cloud Formation​
​Terraform​
AWS::RDS::DBSubnetGroup
Dbsubnet Group Description
​Cloud Formation​
​Terraform​
Dbsubnet Group Name
​Cloud Formation​
​Terraform​
Subnet Ids
​Cloud Formation​
​Terraform​
​
Logging
Design Guidance:
Publishing database logs to Amazon CloudWatch Logs - Amazon Relational Database Service
Amazon Relational Database Service
Monitoring DB load with Performance Insights on Amazon RDS - Amazon Relational Database Service
Amazon Relational Database Service
Setting up and enabling Enhanced Monitoring - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBCluster
Enable Cloudwatch Logs Exports
​Cloud Formation​
​Terraform​
AWS::RDS::DBProxy
Debug Logging
​Cloud Formation​
​Terraform​
AWS::RDS::EventSubscription
Enabled
​Cloud Formation​
Sns Topic Arn
​Cloud Formation​
Source Ids
​Cloud Formation​
​
Identification and Authentication
Design Guidance:
Creating an Amazon Aurora DB cluster - Amazon Aurora
AWS::RDS::DBCluster
Enable Iamdatabase Authentication
​Cloud Formation​
​Terraform​
Master User Password
​Cloud Formation​
​Terraform​
Master Username
​Cloud Formation​
​Terraform​
AWS::RDS::DBProxy
Auth-Auth Scheme
​Cloud Formation​
​Terraform​
Auth-Iamauth
​Cloud Formation​
​Terraform​
Auth-Description
​Cloud Formation​
​Terraform​
Auth-Secret Arn
​Cloud Formation​
​Terraform​
Auth-User Name
​Cloud Formation​
​Terraform​
​
Protect Cryptographic Keys
Design Guidance:
AWS KMS key management - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBCluster
Kms Key Id
​Cloud Formation​
​Terraform​
​
Deny-all Communications and Only Allow-by-Exception
Design Guidance:
Working with option groups - Amazon Relational Database Service
AWS::RDS::DBCluster
Port
​Cloud Formation​
​Terraform​
AWS::RDS::OptionGroup
Option Configurations-Port
​Cloud Formation​
​Terraform​
​
Backups
Design Guidance:
Working with backups - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBCluster
Preferred Backup Window
​Cloud Formation​
​Terraform​
Restore Type
​Cloud Formation​
​Terraform​
Snapshot Identifier
​Cloud Formation​
​Terraform​
Source Dbcluster Identifier
​Cloud Formation​
​Terraform​
Source Region
​Cloud Formation​
​Terraform​
Use Latest Restorable Time
​Cloud Formation​
​Terraform​
​
Configuration Change Control
AWS::RDS::DBCluster
Preferred Maintenance Window
​Cloud Formation​
​Terraform​
​
Transparent Data Encryption
Design Guidance:
Encrypting Amazon RDS resources - Amazon Relational Database Service
AWS::RDS::DBCluster
Storage Encrypted
​Cloud Formation​
​Terraform​
​
Firewalls
Design Guidance:
Controlling access with security groups - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBCluster
VPC Security Group Ids
​Cloud Formation​
​Terraform​
AWS::RDS::DBProxy
VPC Security Group Ids
​Cloud Formation​
​Terraform​
AWS::RDS::DBSecurityGroup
Dbsecurity Group Ingress-Cidrip
​Cloud Formation​
​Terraform​
Dbsecurity Group Ingress-EC2security Group Id
​Cloud Formation​
​Terraform​
Dbsecurity Group Ingress-EC2security Group Name
​Cloud Formation​
​Terraform​
Dbsecurity Group Ingress-EC2security Group Owner Id
​Cloud Formation​
​Terraform​
AWS::RDS::DBSecurityGroupIngress
Cidrip
​Cloud Formation​
Dbsecurity Group Name
​Cloud Formation​
EC2security Group Id
​Cloud Formation​
EC2security Group Name
​Cloud Formation​
EC2security Group Owner Id
​Cloud Formation​
AWS::RDS::OptionGroup
Option Configurations-VPC Security Group Memberships
​Cloud Formation​
​Terraform​
​
Session Limits
Design Guidance:
Using Amazon RDS Proxy - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBProxy
Idle Client Timeout
​Cloud Formation​
​Terraform​
​
TLS
Design Guidance:
Using SSL/TLS to encrypt a connection to a DB instance - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBProxy
Require TLS
​Cloud Formation​
​Terraform​
​
Connection Limiting
Design Guidance:
Managing an RDS Proxy - Amazon Relational Database Service
AWS::RDS::DBProxyTargetGroup
Connection Pool Configuration Info-Max Connections Percent
​Cloud Formation​
​Terraform​
Connection Pool Configuration Info-Max Idle Connections Percent
​Cloud Formation​
​Terraform​
Connection Pool Configuration Info-Connection Borrow Timeout
​Cloud Formation​
​Terraform​
Connection Pool Configuration Info-Session Pinning Filters
​Cloud Formation​
​Terraform​
Connection Pool Configuration Info-Init Query
​Cloud Formation​
​Terraform​
​
Managed Inspection Points
Design Guidance:
Using Amazon RDS Proxy - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBProxy
Dbproxy Name
​Cloud Formation​
​Terraform​
AWS::RDS::DBProxyTargetGroup
Dbproxy Name
​Cloud Formation​
​Terraform​
Target Group Name
​Cloud Formation​
​Terraform​
Dbinstance Identifiers
​Cloud Formation​
​Terraform​
Dbcluster Identifiers
​Cloud Formation​
​Terraform​
​
Use Trusted Attributes for Security Decisions
Design Guidance:
Controlling access with security groups - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::OptionGroup
Option Configurations-Dbsecurity Group Memberships
​Cloud Formation​
​Terraform​
​

AWS QLDB

AWS RDS Instance

Last modified 6mo ago

Associated Roles-Feature Name	Cloud Formation	Terraform
Associated Roles-Role Arn	Cloud Formation	Terraform

Availability Zones	Cloud Formation	Terraform
Deletion Protection	Cloud Formation	Terraform
Scaling Configuration-Auto Pause	Cloud Formation	Terraform
Scaling Configuration-Max Capacity	Cloud Formation	Terraform
Scaling Configuration-Min Capacity	Cloud Formation	Terraform
Scaling Configuration-Seconds Until Auto Pause	Cloud Formation	Terraform

Dbcluster Identifier	Cloud Formation	Terraform
Database Name	Cloud Formation	Terraform
Tags	Cloud Formation	Terraform

Engine Name	Cloud Formation	Terraform
Tags	Cloud Formation	Terraform

Dbcluster Parameter Group Name	Cloud Formation	Terraform
Engine Mode	Cloud Formation	Terraform
Engine Version	Cloud Formation	Terraform

Family	Cloud Formation	Terraform
Parameters	Cloud Formation	Terraform

Major Engine Version	Cloud Formation	Terraform
Option Configurations-Option Name	Cloud Formation	Terraform
Option Settings-Name	Cloud Formation	Terraform
Option Settings-Value	Cloud Formation	Terraform
Option Configurations-Option Version	Cloud Formation	Terraform

Dbsubnet Group Description	Cloud Formation	Terraform
Dbsubnet Group Name	Cloud Formation	Terraform
Subnet Ids	Cloud Formation	Terraform

Enabled	Cloud Formation
Sns Topic Arn	Cloud Formation
Source Ids	Cloud Formation

Enable Iamdatabase Authentication	Cloud Formation	Terraform
Master User Password	Cloud Formation	Terraform
Master Username	Cloud Formation	Terraform

Auth-Auth Scheme	Cloud Formation	Terraform
Auth-Iamauth	Cloud Formation	Terraform
Auth-Description	Cloud Formation	Terraform
Auth-Secret Arn	Cloud Formation	Terraform
Auth-User Name	Cloud Formation	Terraform

Preferred Backup Window	Cloud Formation	Terraform
Restore Type	Cloud Formation	Terraform
Snapshot Identifier	Cloud Formation	Terraform
Source Dbcluster Identifier	Cloud Formation	Terraform
Source Region	Cloud Formation	Terraform
Use Latest Restorable Time	Cloud Formation	Terraform

Dbsecurity Group Ingress-Cidrip	Cloud Formation	Terraform
Dbsecurity Group Ingress-EC2security Group Id	Cloud Formation	Terraform
Dbsecurity Group Ingress-EC2security Group Name	Cloud Formation	Terraform
Dbsecurity Group Ingress-EC2security Group Owner Id	Cloud Formation	Terraform

Cidrip	Cloud Formation
Dbsecurity Group Name	Cloud Formation
EC2security Group Id	Cloud Formation
EC2security Group Name	Cloud Formation
EC2security Group Owner Id	Cloud Formation

Connection Pool Configuration Info-Max Connections Percent	Cloud Formation	Terraform
Connection Pool Configuration Info-Max Idle Connections Percent	Cloud Formation	Terraform
Connection Pool Configuration Info-Connection Borrow Timeout	Cloud Formation	Terraform
Connection Pool Configuration Info-Session Pinning Filters	Cloud Formation	Terraform
Connection Pool Configuration Info-Init Query	Cloud Formation	Terraform

Dbproxy Name	Cloud Formation	Terraform
Target Group Name	Cloud Formation	Terraform
Dbinstance Identifiers	Cloud Formation	Terraform
Dbcluster Identifiers	Cloud Formation	Terraform