Links

AWS RDS Instance

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes
AWS Security Best Practices
There are number of security considerations when using AWS RDS Instances or Clusters. One key consideration is to use AWS Identity and Access Management (IAM) accounts to control access to Amazon RDS API operations, especially operations that create, modify, or delete Amazon RDSresources. Such resources include DB instances, security groups, and parameter groups. Ensure that IAM is also used to control actions that perform common administrative actions such as backing up and restoring DB instances.
  • Create an individual IAM user for each person who manages Amazon RDS resources, including yourself. Don't use AWS root credentials to manage Amazon RDS resources.
  • Grant each user the minimum set of permissions required to perform his or her duties.
  • Use IAM groups to effectively manage permissions for multiple users.
  • Rotate your IAM credentials regularly.
  • Configure AWS Secrets Manager to automatically rotate the secrets for Amazon RDS. You can also retrieve the credential from AWS Secrets Manager programmatically. For more information, see Retrieving the secret value in the AWS Secrets Manager User Guide.
For more guidance on securing AWS RDS, look at oak9's security bluerprint for RDS.

Logging

Design Guidance:

AWS::RDS::DBInstance

Enable Cloudwatch Logs Exports
Terraform
Enable Performance Insights
Terraform
Monitoring Interval
Terraform
Monitoring Role Arn
Terraform
Performance Insights Retention Period
Terraform

AWS::RDS::DBProxy

Debug Logging
Terraform

AWS::RDS::EventSubscription

Enabled
Sns Topic Arn
Source Ids

Session Limits

Design Guidance:

AWS::RDS::DBProxy

Idle Client Timeout
Terraform

Asset Inventory

Design Guidance:

AWS::RDS::DBInstance

Dbcluster Identifier
Terraform
Dbinstance Identifier
Terraform
Dbname
Terraform
Dbparameter Group Name
Terraform
Option Group Name
Terraform
Tags
Terraform

AWS::RDS::DBParameterGroup

Tags
Terraform

AWS::RDS::DBProxy

Tags
Terraform

AWS::RDS::DBSecurityGroup

Tags
Terraform

AWS::RDS::DBSubnetGroup

Tags
Terraform

AWS::RDS::OptionGroup

Engine Name
Terraform
Tags
Terraform

Design for High Availability

Design Guidance:

AWS::RDS::DBInstance

Availability Zone
Terraform
Multi Az
Terraform
Dbinstance Class
Terraform
Deletion Protection
Terraform
Max Allocated Storage
Terraform
Processor Features-Name
Terraform
Processor Features-Value
Terraform

Data Retention

AWS::RDS::DBInstance

Backup Retention Period
Terraform

Backups

Design Guidance:

AWS::RDS::DBInstance

Dbsnapshot Identifier
Terraform
Source Dbinstance Identifier
Terraform
Source Region
Terraform
Preferred Backup Window
Terraform

Hardening

Design Guidance:

AWS::RDS::DBInstance

Allocated Storage
Terraform
Engine Version
Terraform
Iops
Terraform

AWS::RDS::DBParameterGroup

Description
Terraform
Family
Terraform
Parameters
Terraform

AWS::RDS::OptionGroup

Major Engine Version
Terraform
Option Configurations-Option Name
Terraform
Option Settings-Name
Terraform
Option Settings-Value
Terraform
Option Configurations-Option Version
Terraform

Configuration Change Control

Design Guidance:

AWS::RDS::DBInstance

Allow Major Version Upgrade
Terraform
Auto Minor Version Upgrade
Terraform
Preferred Maintenance Window
Terraform

Transparent Data Encryption

Design Guidance:

AWS::RDS::DBInstance

Storage Encrypted
Terraform

TLS

Design Guidance:

AWS::RDS::DBProxy

Require TLS
Terraform

Data Minimization

Design Guidance:

AWS::RDS::DBInstance

Delete Automated Backups
Terraform

Connection Limiting

Design Guidance:

AWS::RDS::DBProxyTargetGroup

Connection Pool Configuration Info-Max Connections Percent
Terraform
Connection Pool Configuration Info-Max Idle Connections Percent
Terraform
Connection Pool Configuration Info-Connection Borrow Timeout
Terraform
Connection Pool Configuration Info-Session Pinning Filters
Terraform
Connection Pool Configuration Info-Init Query
Terraform

Fault-Tolerance

AWS::RDS::DBInstance

Promotion Tier
Terraform

Identification and Authentication

AWS::RDS::DBInstance

Domain
Terraform
Enable Iamdatabase Authentication
Terraform
Master User Password
Terraform
Master Username
Terraform

AWS::RDS::DBProxy

Auth-Auth Scheme
Terraform
Auth-Iamauth
Terraform
Auth-Description
Terraform
Auth-Secret Arn
Terraform
Auth-User Name
Terraform

Deny-all Communications and Only Allow-by-Exception

Design Guidance:

AWS::RDS::DBInstance

Port
Terraform

AWS::RDS::OptionGroup

Option Configurations-Port
Terraform

Subnet Isolation

Design Guidance:

AWS::RDS::DBInstance

Dbsubnet Group Name
Terraform

AWS::RDS::DBProxy

VPC Subnet Ids
Terraform

AWS::RDS::DBSecurityGroup

EC2VPC Id
Terraform

AWS::RDS::DBSubnetGroup

Dbsubnet Group Description
Terraform
Dbsubnet Group Name
Terraform
Subnet Ids
Terraform

Managed Inspection Points

Design Guidance:

AWS::RDS::DBProxy

Dbproxy Name
Terraform

AWS::RDS::DBProxyTargetGroup

Dbproxy Name
Terraform
Target Group Name
Terraform
Dbinstance Identifiers
Terraform
Dbcluster Identifiers
Terraform

Firewalls

Design Guidance:

AWS::RDS::DBInstance

Dbsecurity Groups
Terraform
VPCsecurity Groups
Terraform

AWS::RDS::DBProxy

VPC Security Group Ids
Terraform

AWS::RDS::DBSecurityGroup

Dbsecurity Group Ingress-Cidrip
Terraform
Dbsecurity Group Ingress-EC2security Group Id
Terraform
Dbsecurity Group Ingress-EC2security Group Name
Terraform
Dbsecurity Group Ingress-EC2security Group Owner Id
Terraform

AWS::RDS::DBSecurityGroupIngress

Cidrip
Dbsecurity Group Name
EC2security Group Id
EC2security Group Name
EC2security Group Owner Id

AWS::RDS::OptionGroup

Option Configurations-VPC Security Group Memberships
Terraform

Network Access Points Enforcing Network Access

AWS::RDS::DBInstance

Publicly Accessible
Terraform

Use Trusted Attributes for Security Decisions

Design Guidance:

AWS::RDS::OptionGroup

Option Configurations-Dbsecurity Group Memberships
Terraform

Utilize Role-based Access Control

Design Guidance:

AWS::RDS::DBInstance

Associated Roles-Feature Name
Terraform
Associated Roles-Role Arn
Terraform
Domain Iamrole Name
Terraform

AWS::RDS::DBProxy

Role Arn
Terraform

Protect Cryptographic Keys

Design Guidance:

AWS::RDS::DBInstance

Kms Key Id
Terraform
Performance Insights Kmskey Id
Terraform

Issue Keys from Trusted Authorities

Design Guidance:

AWS::RDS::DBInstance

Cacertificate Identifier
Terraform
License Model
Terraform