AWS RDS Instance

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes
AWS Security Best Practices
There are number of security considerations when using AWS RDS Instances or Clusters. One key consideration is to use AWS Identity and Access Management (IAM) accounts to control access to Amazon RDS API operations, especially operations that create, modify, or delete Amazon RDSresources. Such resources include DB instances, security groups, and parameter groups. Ensure that IAM is also used to control actions that perform common administrative actions such as backing up and restoring DB instances.
Create an individual IAM user for each person who manages Amazon RDS resources, including yourself. Don't use AWS root credentials to manage Amazon RDS resources.
Grant each user the minimum set of permissions required to perform his or her duties.
Use IAM groups to effectively manage permissions for multiple users.
Rotate your IAM credentials regularly.
Configure AWS Secrets Manager to automatically rotate the secrets for Amazon RDS. You can also retrieve the credential from AWS Secrets Manager programmatically. For more information, see Retrieving the secret value in the AWS Secrets Manager User Guide.
For more guidance on securing AWS RDS, look at oak9's security bluerprint for RDS.
Logging
Design Guidance:
Publishing database logs to Amazon CloudWatch Logs - Amazon Relational Database Service
Amazon Relational Database Service
Monitoring DB load with Performance Insights on Amazon RDS - Amazon Relational Database Service
Amazon Relational Database Service
Setting up and enabling Enhanced Monitoring - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBInstance
Enable Cloudwatch Logs Exports
​Cloud Formation​
​Terraform​
Enable Performance Insights
​Cloud Formation​
​Terraform​
Monitoring Interval
​Cloud Formation​
​Terraform​
Monitoring Role Arn
​Cloud Formation​
​Terraform​
Performance Insights Retention Period
​Cloud Formation​
​Terraform​
AWS::RDS::DBProxy
Debug Logging
​Cloud Formation​
​Terraform​
AWS::RDS::EventSubscription
Enabled
​Cloud Formation​
Sns Topic Arn
​Cloud Formation​
Source Ids
​Cloud Formation​
​
Session Limits
Design Guidance:
Using Amazon RDS Proxy - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBProxy
Idle Client Timeout
​Cloud Formation​
​Terraform​
​
Asset Inventory
Design Guidance:
Tagging Amazon RDS resources - Amazon Relational Database Service
Amazon Relational Database Service
Creating an Amazon RDS DB instance - Amazon Relational Database Service
AWS::RDS::DBInstance
Dbcluster Identifier
​Cloud Formation​
​Terraform​
Dbinstance Identifier
​Cloud Formation​
​Terraform​
Dbname
​Cloud Formation​
​Terraform​
Dbparameter Group Name
​Cloud Formation​
​Terraform​
Option Group Name
​Cloud Formation​
​Terraform​
Tags
​Cloud Formation​
​Terraform​
AWS::RDS::DBParameterGroup
Tags
​Cloud Formation​
​Terraform​
AWS::RDS::DBProxy
Tags
​Cloud Formation​
​Terraform​
AWS::RDS::DBSecurityGroup
Tags
​Cloud Formation​
​Terraform​
AWS::RDS::DBSubnetGroup
Tags
​Cloud Formation​
​Terraform​
AWS::RDS::OptionGroup
Engine Name
​Cloud Formation​
​Terraform​
Tags
​Cloud Formation​
​Terraform​
​
Design for High Availability
Design Guidance:
Regions, Availability Zones, and Local Zones - Amazon Relational Database Service
Amazon Relational Database Service
Deleting a DB instance - Amazon Relational Database Service
DB instance classes - Amazon Relational Database Service
AWS::RDS::DBInstance
Availability Zone
​Cloud Formation​
​Terraform​
Multi Az
​Cloud Formation​
​Terraform​
Dbinstance Class
​Cloud Formation​
​Terraform​
Deletion Protection
​Cloud Formation​
​Terraform​
Max Allocated Storage
​Cloud Formation​
​Terraform​
Processor Features-Name
​Cloud Formation​
​Terraform​
Processor Features-Value
​Cloud Formation​
​Terraform​
​
Data Retention
AWS::RDS::DBInstance
Backup Retention Period
​Cloud Formation​
​Terraform​
​
Backups
Design Guidance:
Working with backups - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBInstance
Dbsnapshot Identifier
​Cloud Formation​
​Terraform​
Source Dbinstance Identifier
​Cloud Formation​
​Terraform​
Source Region
​Cloud Formation​
​Terraform​
Preferred Backup Window
​Cloud Formation​
​Terraform​
​
Hardening
Design Guidance:
Working with parameter groups - Amazon Relational Database Service
Amazon Relational Database Service
Creating an Amazon RDS DB instance - Amazon Relational Database Service
Amazon Relational Database Service
Working with option groups - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBInstance
Allocated Storage
​Cloud Formation​
​Terraform​
Engine Version
​Cloud Formation​
​Terraform​
Iops
​Cloud Formation​
​Terraform​
AWS::RDS::DBParameterGroup
Description
​Cloud Formation​
​Terraform​
Family
​Cloud Formation​
​Terraform​
Parameters
​Cloud Formation​
​Terraform​
AWS::RDS::OptionGroup
Major Engine Version
​Cloud Formation​
​Terraform​
Option Configurations-Option Name
​Cloud Formation​
​Terraform​
Option Settings-Name
​Cloud Formation​
​Terraform​
Option Settings-Value
​Cloud Formation​
​Terraform​
Option Configurations-Option Version
​Cloud Formation​
​Terraform​
​
Configuration Change Control
Design Guidance:
Maintaining a DB instance - Amazon Relational Database Service
Upgrading a DB instance engine version - Amazon Relational Database Service
AWS::RDS::DBInstance
Allow Major Version Upgrade
​Cloud Formation​
​Terraform​
Auto Minor Version Upgrade
​Cloud Formation​
​Terraform​
Preferred Maintenance Window
​Cloud Formation​
​Terraform​
​
Transparent Data Encryption
Design Guidance:
Encrypting Amazon RDS resources - Amazon Relational Database Service
AWS::RDS::DBInstance
Storage Encrypted
​Cloud Formation​
​Terraform​
​
TLS
Design Guidance:
Using SSL/TLS to encrypt a connection to a DB instance - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBProxy
Require TLS
​Cloud Formation​
​Terraform​
​
Data Minimization
Design Guidance:
Working with backups - Amazon Relational Database Service
AWS::RDS::DBInstance
Delete Automated Backups
​Cloud Formation​
​Terraform​
​
Connection Limiting
Design Guidance:
Managing an RDS Proxy - Amazon Relational Database Service
AWS::RDS::DBProxyTargetGroup
Connection Pool Configuration Info-Max Connections Percent
​Cloud Formation​
​Terraform​
Connection Pool Configuration Info-Max Idle Connections Percent
​Cloud Formation​
​Terraform​
Connection Pool Configuration Info-Connection Borrow Timeout
​Cloud Formation​
​Terraform​
Connection Pool Configuration Info-Session Pinning Filters
​Cloud Formation​
​Terraform​
Connection Pool Configuration Info-Init Query
​Cloud Formation​
​Terraform​
​
Fault-Tolerance
AWS::RDS::DBInstance
Promotion Tier
​Cloud Formation​
​Terraform​
​
Identification and Authentication
AWS::RDS::DBInstance
Domain
​Cloud Formation​
​Terraform​
Enable Iamdatabase Authentication
​Cloud Formation​
​Terraform​
Master User Password
​Cloud Formation​
​Terraform​
Master Username
​Cloud Formation​
​Terraform​
AWS::RDS::DBProxy
Auth-Auth Scheme
​Cloud Formation​
​Terraform​
Auth-Iamauth
​Cloud Formation​
​Terraform​
Auth-Description
​Cloud Formation​
​Terraform​
Auth-Secret Arn
​Cloud Formation​
​Terraform​
Auth-User Name
​Cloud Formation​
​Terraform​
​
Deny-all Communications and Only Allow-by-Exception
Design Guidance:
Working with option groups - Amazon Relational Database Service
Creating an Amazon RDS DB instance - Amazon Relational Database Service
AWS::RDS::DBInstance
Port
​Cloud Formation​
​Terraform​
AWS::RDS::OptionGroup
Option Configurations-Port
​Cloud Formation​
​Terraform​
​
Subnet Isolation
Design Guidance:
Amazon Virtual Private Cloud VPCs and Amazon RDS - Amazon Relational Database Service
Amazon Relational Database Service
Using Amazon RDS Proxy - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBInstance
Dbsubnet Group Name
​Cloud Formation​
​Terraform​
AWS::RDS::DBProxy
VPC Subnet Ids
​Cloud Formation​
​Terraform​
AWS::RDS::DBSecurityGroup
EC2VPC Id
​Cloud Formation​
​Terraform​
AWS::RDS::DBSubnetGroup
Dbsubnet Group Description
​Cloud Formation​
​Terraform​
Dbsubnet Group Name
​Cloud Formation​
​Terraform​
Subnet Ids
​Cloud Formation​
​Terraform​
​
Managed Inspection Points
Design Guidance:
Using Amazon RDS Proxy - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBProxy
Dbproxy Name
​Cloud Formation​
​Terraform​
AWS::RDS::DBProxyTargetGroup
Dbproxy Name
​Cloud Formation​
​Terraform​
Target Group Name
​Cloud Formation​
​Terraform​
Dbinstance Identifiers
​Cloud Formation​
​Terraform​
Dbcluster Identifiers
​Cloud Formation​
​Terraform​
​
Firewalls
Design Guidance:
Controlling access with security groups - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBInstance
Dbsecurity Groups
​Cloud Formation​
​Terraform​
VPCsecurity Groups
​Cloud Formation​
​Terraform​
AWS::RDS::DBProxy
VPC Security Group Ids
​Cloud Formation​
​Terraform​
AWS::RDS::DBSecurityGroup
Dbsecurity Group Ingress-Cidrip
​Cloud Formation​
​Terraform​
Dbsecurity Group Ingress-EC2security Group Id
​Cloud Formation​
​Terraform​
Dbsecurity Group Ingress-EC2security Group Name
​Cloud Formation​
​Terraform​
Dbsecurity Group Ingress-EC2security Group Owner Id
​Cloud Formation​
​Terraform​
AWS::RDS::DBSecurityGroupIngress
Cidrip
​Cloud Formation​
Dbsecurity Group Name
​Cloud Formation​
EC2security Group Id
​Cloud Formation​
EC2security Group Name
​Cloud Formation​
EC2security Group Owner Id
​Cloud Formation​
AWS::RDS::OptionGroup
Option Configurations-VPC Security Group Memberships
​Cloud Formation​
​Terraform​
​
Network Access Points Enforcing Network Access
AWS::RDS::DBInstance
Publicly Accessible
​Cloud Formation​
​Terraform​
​
Use Trusted Attributes for Security Decisions
Design Guidance:
Controlling access with security groups - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::OptionGroup
Option Configurations-Dbsecurity Group Memberships
​Cloud Formation​
​Terraform​
​
Utilize Role-based Access Control
Design Guidance:
Identity and access management for Amazon RDS - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBInstance
Associated Roles-Feature Name
​Cloud Formation​
​Terraform​
Associated Roles-Role Arn
​Cloud Formation​
​Terraform​
Domain Iamrole Name
​Cloud Formation​
​Terraform​
AWS::RDS::DBProxy
Role Arn
​Cloud Formation​
​Terraform​
​
Protect Cryptographic Keys
Design Guidance:
AWS KMS key management - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBInstance
Kms Key Id
​Cloud Formation​
​Terraform​
Performance Insights Kmskey Id
​Cloud Formation​
​Terraform​
​
Issue Keys from Trusted Authorities
Design Guidance:
Creating an Amazon RDS DB instance - Amazon Relational Database Service
Amazon Relational Database Service
AWS::RDS::DBInstance
Cacertificate Identifier
​Cloud Formation​
​Terraform​
License Model
​Cloud Formation​
​Terraform​
​

AWS RDS Cluster

AWS Route53

Last modified 6mo ago

Enable Cloudwatch Logs Exports	Cloud Formation	Terraform
Enable Performance Insights	Cloud Formation	Terraform
Monitoring Interval	Cloud Formation	Terraform
Monitoring Role Arn	Cloud Formation	Terraform
Performance Insights Retention Period	Cloud Formation	Terraform

Enabled	Cloud Formation
Sns Topic Arn	Cloud Formation
Source Ids	Cloud Formation

Dbcluster Identifier	Cloud Formation	Terraform
Dbinstance Identifier	Cloud Formation	Terraform
Dbname	Cloud Formation	Terraform
Dbparameter Group Name	Cloud Formation	Terraform
Option Group Name	Cloud Formation	Terraform
Tags	Cloud Formation	Terraform

Engine Name	Cloud Formation	Terraform
Tags	Cloud Formation	Terraform

Availability Zone	Cloud Formation	Terraform
Multi Az	Cloud Formation	Terraform
Dbinstance Class	Cloud Formation	Terraform
Deletion Protection	Cloud Formation	Terraform
Max Allocated Storage	Cloud Formation	Terraform
Processor Features-Name	Cloud Formation	Terraform
Processor Features-Value	Cloud Formation	Terraform

Dbsnapshot Identifier	Cloud Formation	Terraform
Source Dbinstance Identifier	Cloud Formation	Terraform
Source Region	Cloud Formation	Terraform
Preferred Backup Window	Cloud Formation	Terraform

Allocated Storage	Cloud Formation	Terraform
Engine Version	Cloud Formation	Terraform
Iops	Cloud Formation	Terraform

Description	Cloud Formation	Terraform
Family	Cloud Formation	Terraform
Parameters	Cloud Formation	Terraform

Major Engine Version	Cloud Formation	Terraform
Option Configurations-Option Name	Cloud Formation	Terraform
Option Settings-Name	Cloud Formation	Terraform
Option Settings-Value	Cloud Formation	Terraform
Option Configurations-Option Version	Cloud Formation	Terraform

Allow Major Version Upgrade	Cloud Formation	Terraform
Auto Minor Version Upgrade	Cloud Formation	Terraform
Preferred Maintenance Window	Cloud Formation	Terraform

Connection Pool Configuration Info-Max Connections Percent	Cloud Formation	Terraform
Connection Pool Configuration Info-Max Idle Connections Percent	Cloud Formation	Terraform
Connection Pool Configuration Info-Connection Borrow Timeout	Cloud Formation	Terraform
Connection Pool Configuration Info-Session Pinning Filters	Cloud Formation	Terraform
Connection Pool Configuration Info-Init Query	Cloud Formation	Terraform

Domain	Cloud Formation	Terraform
Enable Iamdatabase Authentication	Cloud Formation	Terraform
Master User Password	Cloud Formation	Terraform
Master Username	Cloud Formation	Terraform

Auth-Auth Scheme	Cloud Formation	Terraform
Auth-Iamauth	Cloud Formation	Terraform
Auth-Description	Cloud Formation	Terraform
Auth-Secret Arn	Cloud Formation	Terraform
Auth-User Name	Cloud Formation	Terraform

Dbsubnet Group Description	Cloud Formation	Terraform
Dbsubnet Group Name	Cloud Formation	Terraform
Subnet Ids	Cloud Formation	Terraform

Dbproxy Name	Cloud Formation	Terraform
Target Group Name	Cloud Formation	Terraform
Dbinstance Identifiers	Cloud Formation	Terraform
Dbcluster Identifiers	Cloud Formation	Terraform

Dbsecurity Groups	Cloud Formation	Terraform
VPCsecurity Groups	Cloud Formation	Terraform

Dbsecurity Group Ingress-Cidrip	Cloud Formation	Terraform
Dbsecurity Group Ingress-EC2security Group Id	Cloud Formation	Terraform
Dbsecurity Group Ingress-EC2security Group Name	Cloud Formation	Terraform
Dbsecurity Group Ingress-EC2security Group Owner Id	Cloud Formation	Terraform

Cidrip	Cloud Formation
Dbsecurity Group Name	Cloud Formation
EC2security Group Id	Cloud Formation
EC2security Group Name	Cloud Formation
EC2security Group Owner Id	Cloud Formation

Associated Roles-Feature Name	Cloud Formation	Terraform
Associated Roles-Role Arn	Cloud Formation	Terraform
Domain Iamrole Name	Cloud Formation	Terraform

Kms Key Id	Cloud Formation	Terraform
Performance Insights Kmskey Id	Cloud Formation	Terraform

Cacertificate Identifier	Cloud Formation	Terraform
License Model	Cloud Formation	Terraform