AWS RDS Instance
Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes
AWS Security Best Practices
There are number of security considerations when using AWS RDS Instances or Clusters. One key consideration is to use AWS Identity and Access Management (IAM) accounts to control access to Amazon RDS API operations, especially operations that create, modify, or delete Amazon RDSresources. Such resources include DB instances, security groups, and parameter groups. Ensure that IAM is also used to control actions that perform common administrative actions such as backing up and restoring DB instances.
- Create an individual IAM user for each person who manages Amazon RDS resources, including yourself. Don't use AWS root credentials to manage Amazon RDS resources.
- Grant each user the minimum set of permissions required to perform his or her duties.
- Use IAM groups to effectively manage permissions for multiple users.
- Rotate your IAM credentials regularly.
- Configure AWS Secrets Manager to automatically rotate the secrets for Amazon RDS. You can also retrieve the credential from AWS Secrets Manager programmatically. For more information, see Retrieving the secret value in the AWS Secrets Manager User Guide.
For more guidance on securing AWS RDS, look at oak9's security bluerprint for RDS.
Design Guidance:
Enable Cloudwatch Logs Exports | ||
Enable Performance Insights | ||
Monitoring Interval | ||
Monitoring Role Arn | ||
Performance Insights Retention Period |
Debug Logging |
Enabled | |
Sns Topic Arn | |
Source Ids |
Design Guidance:
Idle Client Timeout |
Design Guidance:
Dbcluster Identifier | ||
Dbinstance Identifier | ||
Dbname | ||
Dbparameter Group Name | ||
Option Group Name | ||
Tags |
Tags |
Tags |
Tags |
Tags |
Engine Name | ||
Tags |
Design Guidance:
Availability Zone | ||
Multi Az | ||
Dbinstance Class | ||
Deletion Protection | ||
Max Allocated Storage | ||
Processor Features-Name | ||
Processor Features-Value |
Backup Retention Period |
Design Guidance:
Dbsnapshot Identifier | ||
Source Dbinstance Identifier | ||
Source Region | ||
Preferred Backup Window |
Design Guidance:
Allocated Storage | ||
Engine Version | ||
Iops |
Description | ||
Family | ||
Parameters |
Major Engine Version | ||
Option Configurations-Option Name | ||
Option Settings-Name | ||
Option Settings-Value | ||
Option Configurations-Option Version |
Design Guidance:
Allow Major Version Upgrade | ||
Auto Minor Version Upgrade | ||
Preferred Maintenance Window |
Design Guidance:
Storage Encrypted |
Design Guidance:
Require TLS |
Design Guidance:
Delete Automated Backups |
Design Guidance:
Connection Pool Configuration Info-Max Connections Percent | ||
Connection Pool Configuration Info-Max Idle Connections Percent | ||
Connection Pool Configuration Info-Connection Borrow Timeout | ||
Connection Pool Configuration Info-Session Pinning Filters | ||
Connection Pool Configuration Info-Init Query |
Promotion Tier |
Domain | ||
Enable Iamdatabase Authentication | ||
Master User Password | ||
Master Username |
Auth-Auth Scheme | ||
Auth-Iamauth | ||
Auth-Description | ||
Auth-Secret Arn | ||
Auth-User Name |
Design Guidance:
Port |
Option Configurations-Port |
Design Guidance:
Dbsubnet Group Name |
VPC Subnet Ids |
EC2VPC Id |
Dbsubnet Group Description | ||
Dbsubnet Group Name | ||
Subnet Ids |
Design Guidance:
Dbproxy Name |
Dbproxy Name | ||
Target Group Name | ||
Dbinstance Identifiers | ||
Dbcluster Identifiers |
Design Guidance:
Dbsecurity Groups | ||
VPCsecurity Groups |
VPC Security Group Ids |
Dbsecurity Group Ingress-Cidrip | ||
Dbsecurity Group Ingress-EC2security Group Id | ||
Dbsecurity Group Ingress-EC2security Group Name | ||
Dbsecurity Group Ingress-EC2security Group Owner Id |
Cidrip | |
Dbsecurity Group Name | |
EC2security Group Id | |
EC2security Group Name | |
EC2security Group Owner Id |
Option Configurations-VPC Security Group Memberships |
Publicly Accessible |
Design Guidance:
Option Configurations-Dbsecurity Group Memberships |
Design Guidance:
Associated Roles-Feature Name | ||
Associated Roles-Role Arn | ||
Domain Iamrole Name |
Role Arn |
Design Guidance:
Kms Key Id | ||
Performance Insights Kmskey Id |
Design Guidance:
Cacertificate Identifier | ||
License Model |
Last modified 1yr ago