Links

AWS RDS Cluster

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes
AWS Security Best Practices
There are number of security considerations when using AWS RDS Instances or Clusters. One key consideration is to use AWS Identity and Access Management (IAM) accounts to control access to Amazon RDS API operations, especially operations that create, modify, or delete Amazon RDSresources. Such resources include DB instances, security groups, and parameter groups. Ensure that IAM is also used to control actions that perform common administrative actions such as backing up and restoring DB instances.
  • Create an individual IAM user for each person who manages Amazon RDS resources, including yourself. Don't use AWS root credentials to manage Amazon RDS resources.
  • Grant each user the minimum set of permissions required to perform his or her duties.
  • Use IAM groups to effectively manage permissions for multiple users.
  • Rotate your IAM credentials regularly.
  • Configure AWS Secrets Manager to automatically rotate the secrets for Amazon RDS. You can also retrieve the credential from AWS Secrets Manager programmatically. For more information, see Retrieving the secret value in the AWS Secrets Manager User Guide.
For more guidance on securing AWS RDS, look at oak9's security bluerprint for RDS.

Utilize Role-based Access Control

Design Guidance:

AWS::RDS::DBCluster

Associated Roles-Feature Name
Terraform
Associated Roles-Role Arn
Terraform

AWS::RDS::DBProxy

Role Arn
Terraform

Design for High Availability

Design Guidance:

AWS::RDS::DBCluster

Availability Zones
Terraform
Deletion Protection
Terraform
Scaling Configuration-Auto Pause
Terraform
Scaling Configuration-Max Capacity
Terraform
Scaling Configuration-Min Capacity
Terraform
Scaling Configuration-Seconds Until Auto Pause
Terraform

Data Retention

AWS::RDS::DBCluster

Backup Retention Period
Terraform

Asset Inventory

Design Guidance:

AWS::RDS::DBCluster

Dbcluster Identifier
Terraform
Database Name
Terraform
Tags
Terraform

AWS::RDS::DBClusterParameterGroup

Tags
Terraform

AWS::RDS::DBProxy

Tags
Terraform

AWS::RDS::DBSecurityGroup

Tags
Terraform

AWS::RDS::DBSubnetGroup

Tags
Terraform

AWS::RDS::OptionGroup

Engine Name
Terraform
Tags
Terraform

Hardening

Design Guidance:

AWS::RDS::DBCluster

Dbcluster Parameter Group Name
Terraform
Engine Mode
Terraform
Engine Version
Terraform

AWS::RDS::DBClusterParameterGroup

Family
Terraform
Parameters
Terraform

AWS::RDS::OptionGroup

Major Engine Version
Terraform
Option Configurations-Option Name
Terraform
Option Settings-Name
Terraform
Option Settings-Value
Terraform
Option Configurations-Option Version
Terraform

Subnet Isolation

Design Guidance:

AWS::RDS::DBCluster

Dbsubnet Group Name
Terraform

AWS::RDS::DBProxy

VPC Subnet Ids
Terraform

AWS::RDS::DBSecurityGroup

EC2VPC Id
Terraform

AWS::RDS::DBSubnetGroup

Dbsubnet Group Description
Terraform
Dbsubnet Group Name
Terraform
Subnet Ids
Terraform

Logging

Design Guidance:

AWS::RDS::DBCluster

Enable Cloudwatch Logs Exports
Terraform

AWS::RDS::DBProxy

Debug Logging
Terraform

AWS::RDS::EventSubscription

Enabled
Sns Topic Arn
Source Ids

Identification and Authentication

Design Guidance:

AWS::RDS::DBCluster

Enable Iamdatabase Authentication
Terraform
Master User Password
Terraform
Master Username
Terraform

AWS::RDS::DBProxy

Auth-Auth Scheme
Terraform
Auth-Iamauth
Terraform
Auth-Description
Terraform
Auth-Secret Arn
Terraform
Auth-User Name
Terraform

Protect Cryptographic Keys

Design Guidance:

AWS::RDS::DBCluster

Kms Key Id
Terraform

Deny-all Communications and Only Allow-by-Exception

Design Guidance:

AWS::RDS::DBCluster

Port
Terraform

AWS::RDS::OptionGroup

Option Configurations-Port
Terraform

Backups

Design Guidance:

AWS::RDS::DBCluster

Preferred Backup Window
Terraform
Restore Type
Terraform
Snapshot Identifier
Terraform
Source Dbcluster Identifier
Terraform
Source Region
Terraform
Use Latest Restorable Time
Terraform

Configuration Change Control

AWS::RDS::DBCluster

Preferred Maintenance Window
Terraform

Transparent Data Encryption

Design Guidance:

AWS::RDS::DBCluster

Storage Encrypted
Terraform

Firewalls

Design Guidance:

AWS::RDS::DBCluster

VPC Security Group Ids
Terraform

AWS::RDS::DBProxy

VPC Security Group Ids
Terraform

AWS::RDS::DBSecurityGroup

Dbsecurity Group Ingress-Cidrip
Terraform
Dbsecurity Group Ingress-EC2security Group Id
Terraform
Dbsecurity Group Ingress-EC2security Group Name
Terraform
Dbsecurity Group Ingress-EC2security Group Owner Id
Terraform

AWS::RDS::DBSecurityGroupIngress

Cidrip
Dbsecurity Group Name
EC2security Group Id
EC2security Group Name
EC2security Group Owner Id

AWS::RDS::OptionGroup

Option Configurations-VPC Security Group Memberships
Terraform

Session Limits

Design Guidance:

AWS::RDS::DBProxy

Idle Client Timeout
Terraform

TLS

Design Guidance:

AWS::RDS::DBProxy

Require TLS
Terraform

Connection Limiting

Design Guidance:

AWS::RDS::DBProxyTargetGroup

Connection Pool Configuration Info-Max Connections Percent
Terraform
Connection Pool Configuration Info-Max Idle Connections Percent
Terraform
Connection Pool Configuration Info-Connection Borrow Timeout
Terraform
Connection Pool Configuration Info-Session Pinning Filters
Terraform
Connection Pool Configuration Info-Init Query
Terraform

Managed Inspection Points

Design Guidance:

AWS::RDS::DBProxy

Dbproxy Name
Terraform

AWS::RDS::DBProxyTargetGroup

Dbproxy Name
Terraform
Target Group Name
Terraform
Dbinstance Identifiers
Terraform
Dbcluster Identifiers
Terraform

Use Trusted Attributes for Security Decisions

Design Guidance:

AWS::RDS::OptionGroup

Option Configurations-Dbsecurity Group Memberships
Terraform