docs.aws.amazon.com
Open in
urlscan Pro
18.66.147.42
Public Scan
Submitted URL: https://docs.aws.amazon.com/console/securityhub/RDS.4/remediation
Effective URL: https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html
Submission: On September 11 via api from IN — Scanned from DE
Effective URL: https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html
Submission: On September 11 via api from IN — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. AWS Security Hub
5. User Guide
Feedback
Preferences
AWS SECURITY HUB
USER GUIDE
* What is AWS Security Hub?
* Terminology and concepts
* Prerequisites and recommendations
* Using Organizations
* Enabling AWS Config
* Setting up Security Hub
* Enabling Security Hub manually
* Managing accounts
* Effects of an administrator-member relationship
* Restrictions and recommendations
* Making the transition to Organizations
* Allowed actions for accounts
* Designating a Security Hub administrator account
* Managing organization member accounts
* Enabling new accounts automatically
* Enabling member accounts
* Disassociating member accounts
* Managing member accounts by invitation
* Adding and inviting member accounts
* Responding to an invitation
* Disassociating member accounts
* Deleting member accounts
* Disassociating from your administrator account
* Effect of account actions on Security Hub data
* Cross-Region aggregation
* How cross-Region aggregation works
* Viewing the current configuration
* Enabling cross-Region aggregation
* Updating the configuration
* Stopping cross-Region aggregation
* Findings
* Creating and updating findings
* Using BatchImportFindings
* Using BatchUpdateFindings
* Viewing a cross-Region finding summary
* Viewing finding lists and details
* Filtering and grouping findings (console)
* Viewing finding details
* Taking action on findings
* Setting the workflow status of findings
* Sending findings to a custom action
* Finding format
* ASFF syntax
* Consolidation and ASFF
* ASFF examples
* Required attributes
* Optional top-level attributes
* Resources
* Resource attributes
* AwsAmazonMQ
* AwsApiGateway
* AwsAppSync
* AwsAthena
* AwsAutoScaling
* AwsBackup
* AwsCertificateManager
* AwsCloudFormation
* AwsCloudFront
* AwsCloudTrail
* AwsCloudWatch
* AwsCodeBuild
* AwsDynamoDB
* AwsEc2
* AwsEcr
* AwsEcs
* AwsEfs
* AwsEks
* AwsElasticBeanstalk
* AwsElasticSearch
* AwsElb
* AwsEventBridge
* AwsGuardDuty
* AwsIam
* AwsKinesis
* AwsKms
* AwsLambda
* AwsNetworkFirewall
* AwsOpenSearchService
* AwsRds
* AwsRedshift
* AwsS3
* AwsSageMaker
* AwsSecretsManager
* AwsSns
* AwsSqs
* AwsSsm
* AwsStepFunctions
* AwsWaf
* AwsXray
* Container
* Other
* Insights
* Viewing and filtering the list of insights
* Viewing insight results and findings
* Managed insights
* Custom insights
* Automations
* Automation rules
* Automated response and remediation
* Types of EventBridge integration
* EventBridge event formats
* Configuring a rule for automatically sent findings
* Configuring and using custom actions
* Product integrations
* Managing product integrations
* AWS service integrations
* Third-party product integrations
* Using custom product integrations
* Standards and controls
* IAM permissions for standards and controls
* Security checks and scores
* AWS Config rules and security checks
* Required AWS Config resources for control findings
* Schedule for running security checks
* Generating and updating control findings
* Determining the control status
* Determining security scores
* Standards reference
* AWS FSBP
* CIS AWS Foundations Benchmark v1.2.0 and v1.4.0
* NIST SP 800-53 Rev. 5
* PCI DSS
* Service-managed standards
* Service-Managed Standard: AWS Control Tower
* Viewing and managing security standards
* Enabling and disabling standards
* Viewing details for a standard
* Enabling and disabling controls in specific standards
* Controls reference
* AWS account controls
* AWS Certificate Manager controls
* API Gateway controls
* AWS AppSync controls
* Athena controls
* CloudFormation controls
* CloudFront controls
* CloudTrail controls
* CloudWatch controls
* CodeBuild controls
* AWS Config controls
* AWS DMS controls
* Amazon DocumentDB controls
* DynamoDB controls
* Amazon ECR controls
* Amazon ECS controls
* Amazon EC2 controls
* Amazon EC2 Auto Scaling controls
* Amazon EC2 Systems Manager controls
* Amazon EFS controls
* Amazon EKS controls
* ElastiCache controls
* Elastic Beanstalk controls
* Elastic Load Balancing controls
* Amazon EMR controls
* Elasticsearch controls
* GuardDuty controls
* IAM controls
* Kinesis controls
* AWS KMS controls
* Lambda controls
* Neptune controls
* Network Firewall controls
* OpenSearch Service controls
* Amazon RDS controls
* Amazon Redshift controls
* Amazon S3 controls
* SageMaker controls
* Secrets Manager controls
* Amazon SNS controls
* Amazon SQS controls
* Step Functions controls
* AWS WAF controls
* Viewing and managing security controls
* Control categories
* Enabling and disabling controls in all standards
* Enabling new controls in enabled standards automatically
* Controls that you might want to disable
* Viewing details for a control
* Filtering and sorting controls
* Viewing and taking action on control findings
* Viewing finding and resource details
* Sample control findings
* Filtering and sorting findings
* Taking action on control findings
* Creating resources with CloudFormation
* Subscribing to Security Hub announcements
* Security
* Data protection
* AWS Identity and Access Management
* How AWS Security Hub works with IAM
* Using service-linked roles
* AWS managed policies
* Compliance validation
* Infrastructure security
* VPC endpoints (AWS PrivateLink)
* Logging API calls
* Quotas
* Regional limits
* Disabling Security Hub
* Controls change log
* Document history
Amazon Relational Database Service controls - AWS Security Hub
AWSDocumentationAWS Security HubUser Guide
[RDS.1] RDS snapshot should be private[RDS.2] RDS DB Instances should prohibit
public access, as determined by the PubliclyAccessible AWS Configuration[RDS.3]
RDS DB instances should have encryption at-rest enabled[RDS.4] RDS cluster
snapshots and database snapshots should be encrypted at rest[RDS.5] RDS DB
instances should be configured with multiple Availability Zones[RDS.6] Enhanced
monitoring should be configured for RDS DB instances[RDS.7] RDS clusters should
have deletion protection enabled[RDS.8] RDS DB instances should have deletion
protection enabled[RDS.9] Database logging should be enabled[RDS.10] IAM
authentication should be configured for RDS instances[RDS.11] RDS instances
should have automatic backups enabled[RDS.12] IAM authentication should be
configured for RDS clusters[RDS.13] RDS automatic minor version upgrades should
be enabled[RDS.14] Amazon Aurora clusters should have backtracking
enabled[RDS.15] RDS DB clusters should be configured for multiple Availability
Zones[RDS.16] RDS DB clusters should be configured to copy tags to
snapshots[RDS.17] RDS DB instances should be configured to copy tags to
snapshots[RDS.18] RDS instances should be deployed in a VPC[RDS.19] An RDS event
notifications subscription should be configured for critical cluster
events[RDS.20] An RDS event notifications subscription should be configured for
critical database instance events[RDS.21] An RDS event notifications
subscription should be configured for critical database parameter group
events[RDS.22] An RDS event notifications subscription should be configured for
critical database security group events[RDS.23] RDS instances should not use a
database engine default port[RDS.24] RDS Database clusters should use a custom
administrator username[RDS.25] RDS database instances should use a custom
administrator username[RDS.26] RDS DB instances should be covered by a backup
plan[RDS.27] RDS DB clusters should be encrypted at rest
AMAZON RELATIONAL DATABASE SERVICE CONTROLS
PDFRSS
These controls are related to Amazon RDS resources.
These controls may not be available in all AWS Regions. For more information,
see Availability of controls by Region.
[RDS.1] RDS SNAPSHOT SHOULD BE PRIVATE
Related requirements: PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS
v3.2.1/1.3.4, PCI DSS v3.2.1/1.3.6, PCI DSS v3.2.1/7.2.1, NIST.800-53.r5 AC-21,
NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5
AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11),
NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21),
NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration
Severity: Critical
Resource type: AWS::RDS::DBClusterSnapshot, AWS::RDS::DBSnapshot
AWS Config rule: rds-snapshots-public-prohibited
Schedule type: Change triggered
Parameters: None
This control checks whether Amazon RDS snapshots are public. The control fails
if RDS snapshots are public. This control evaluates RDS instances, Aurora DB
instances, Neptune DB instances, and Amazon DocumentDB clusters.
RDS snapshots are used to back up the data on your RDS instances at a specific
point in time. They can be used to restore previous states of RDS instances.
An RDS snapshot must not be public unless intended. If you share an unencrypted
manual snapshot as public, this makes the snapshot available to all AWS
accounts. This may result in unintended data exposure of your RDS instance.
Note that if the configuration is changed to allow public access, the AWS Config
rule may not be able to detect the change for up to 12 hours. Until the AWS
Config rule detects the change, the check passes even though the configuration
violates the rule.
To learn more about sharing a DB snapshot, see Sharing a DB snapshot in the
Amazon RDS User Guide.
REMEDIATION
To remove public access from RDS snapshots, see Sharing a snapshot in the Amazon
RDS User Guide. For DB snapshot visibility, we choose Private.
[RDS.2] RDS DB INSTANCES SHOULD PROHIBIT PUBLIC ACCESS, AS DETERMINED BY THE
PUBLICLYACCESSIBLE AWS CONFIGURATION
Related requirements: PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS
v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/1.3.6, PCI DSS v3.2.1/7.2.1,
NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7,
NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21),
NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5)
Category: Protect > Secure network configuration
Severity: Critical
Resource type: AWS::RDS::DBInstance
AWS Config rule: rds-instance-public-access-check
Schedule type: Change triggered
Parameters: None
This control checks whether Amazon RDS instances are publicly accessible by
evaluating the PubliclyAccessible field in the instance configuration item.
Neptune DB instances and Amazon DocumentDB clusters do not have the
PubliclyAccessible flag and cannot be evaluated. However, this control can still
generate findings for these resources. You can suppress these findings.
The PubliclyAccessible value in the RDS instance configuration indicates whether
the DB instance is publicly accessible. When the DB instance is configured with
PubliclyAccessible, it is an Internet-facing instance with a publicly resolvable
DNS name, which resolves to a public IP address. When the DB instance isn't
publicly accessible, it is an internal instance with a DNS name that resolves to
a private IP address.
Unless you intend for your RDS instance to be publicly accessible, the RDS
instance should not be configured with PubliclyAccessible value. Doing so might
allow unnecessary traffic to your database instance.
REMEDIATION
To remove public access from RDS DB instances, see Modifying an Amazon RDS DB
instance in the Amazon RDS User Guide. For Public access, choose No.
[RDS.3] RDS DB INSTANCES SHOULD HAVE ENCRYPTION AT-REST ENABLED
Related requirements: CIS AWS Foundations Benchmark v1.4.0/2.3.1, NIST.800-53.r5
CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28,
NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6)
Category: Protect > Data protection > Encryption of data at rest
Severity: Medium
Resource type: AWS::RDS::DBInstance
AWS Config rule: rds-storage-encrypted
Schedule type: Change triggered
Parameters: None
This control checks whether storage encryption is enabled for your Amazon RDS DB
instances.
This control is intended for RDS DB instances. However, it can also generate
findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB
clusters. If these findings are not useful, then you can suppress them.
For an added layer of security for your sensitive data in RDS DB instances, you
should configure your RDS DB instances to be encrypted at rest. To encrypt your
RDS DB instances and snapshots at rest, enable the encryption option for your
RDS DB instances. Data that is encrypted at rest includes the underlying storage
for DB instances, its automated backups, read replicas, and snapshots.
RDS encrypted DB instances use the open standard AES-256 encryption algorithm to
encrypt your data on the server that hosts your RDS DB instances. After your
data is encrypted, Amazon RDS handles authentication of access and decryption of
your data transparently with a minimal impact on performance. You do not need to
modify your database client applications to use encryption.
Amazon RDS encryption is currently available for all database engines and
storage types. Amazon RDS encryption is available for most DB instance classes.
To learn about DB instance classes that do not support Amazon RDS encryption,
see Encrypting Amazon RDS resources in the Amazon RDS User Guide.
REMEDIATION
For information about encrypting DB instances in Amazon RDS, see Encrypting
Amazon RDS resources in the Amazon RDS User Guide.
[RDS.4] RDS CLUSTER SNAPSHOTS AND DATABASE SNAPSHOTS SHOULD BE ENCRYPTED AT REST
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6),
NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1),
NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6)
Category: Protect > Data protection > Encryption of data at rest
Severity: Medium
Resource type: AWS::RDS::DBClusterSnapshot, AWS::RDS::DBSnapshot
AWS Config rule: rds-snapshot-encrypted
Schedule type: Change triggered
Parameters: None
This control checks whether an RDS DB snapshot is encrypted. The control fails
if an RDS DB snapshot isn't encrypted.
This control is intended for RDS DB instances. However, it can also generate
findings for snapshots of Aurora DB instances, Neptune DB instances, and Amazon
DocumentDB clusters. If these findings are not useful, then you can suppress
them.
Encrypting data at rest reduces the risk that an unauthenticated user gets
access to data that is stored on disk. Data in RDS snapshots should be encrypted
at rest for an added layer of security.
REMEDIATION
To encrypt an RDS snapshot, see Encrypting Amazon RDS resources in the Amazon
RDS User Guide. When you encrypt an RDS DB instance, the encrypted data includes
the underlying storage for the instance, its automated backups, read replicas,
and snapshots.
You can only encrypt an RDS DB instance when you create it, not after the DB
instance is created. However, because you can encrypt a copy of an unencrypted
snapshot, you can effectively add encryption to an unencrypted DB instance. That
is, you can create a snapshot of your DB instance, and then create an encrypted
copy of that snapshot. You can then restore a DB instance from the encrypted
snapshot, and thus you have an encrypted copy of your original DB instance.
[RDS.5] RDS DB INSTANCES SHOULD BE CONFIGURED WITH MULTIPLE AVAILABILITY ZONES
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2),
NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5)
Category: Recover > Resilience > High availability
Severity: Medium
Resource type: AWS::RDS::DBInstance
AWS Config rule: rds-multi-az-support
Schedule type: Change triggered
Parameters: None
This control checks whether high availability is enabled for your RDS DB
instances.
RDS DB instances should be configured for multiple Availability Zones (AZs).
This ensures the availability of the data stored. Multi-AZ deployments allow for
automated failover if there is an issue with AZ availability and during regular
RDS maintenance.
REMEDIATION
To deploy your DB instances in multiple AZs, Modifying a DB instance to be a
Multi-AZ DB instance deployment in the Amazon RDS User Guide.
[RDS.6] ENHANCED MONITORING SHOULD BE CONFIGURED FOR RDS DB INSTANCES
Related requirements: NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-2
Category: Detect > Detection services
Severity: Low
Resource type: AWS::RDS::DBInstance
AWS Config rule: rds-enhanced-monitoring-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether enhanced monitoring is enabled for your RDS DB
instances.
In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance
changes in underlying infrastructure. These performance changes could result in
a lack of availability of the data. Enhanced Monitoring provides real-time
metrics of the operating system that your RDS DB instance runs on. An agent is
installed on the instance. The agent can obtain metrics more accurately than is
possible from the hypervisor layer.
Enhanced Monitoring metrics are useful when you want to see how different
processes or threads on a DB instance use the CPU. For more information, see
Enhanced Monitoring in the Amazon RDS User Guide.
REMEDIATION
For detailed instructions on enabling Enhanced Monitoring for your DB instance,
see Setting up for and enabling Enhanced Monitoring in the Amazon RDS User
Guide.
[RDS.7] RDS CLUSTERS SHOULD HAVE DELETION PROTECTION ENABLED
Related requirements: NIST.800-53.r5 CM-3, NIST.800-53.r5 SC-5(2)
Category: Protect > Data protection > Data deletion protection
Severity: Low
Resource type: AWS::RDS::DBCluster
AWS Config rule: rds-cluster-deletion-protection-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether an RDS DB cluster has deletion protection enabled.
The control fails if an RDS DB cluster doesn't have deletion protection enabled.
This control is intended for RDS DB instances. However, it can also generate
findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB
clusters. If these findings are not useful, then you can suppress them.
Enabling cluster deletion protection is an additional layer of protection
against accidental database deletion or deletion by an unauthorized entity.
When deletion protection is enabled, an RDS cluster cannot be deleted. Before a
deletion request can succeed, deletion protection must be disabled.
REMEDIATION
To enable deletion protection for an RDS DB cluster, see Modifying the DB
cluster by using the console, CLI, and API in the Amazon RDS User Guide. For
Deletion protection, choose Enable deletion protection.
[RDS.8] RDS DB INSTANCES SHOULD HAVE DELETION PROTECTION ENABLED
Related requirements: NIST.800-53.r5 CM-3, NIST.800-53.r5 SC-5(2),
NIST.800-53.r5 SI-13(5)
Category: Protect > Data protection > Data deletion protection
Severity: Low
Resource type: AWS::RDS::DBInstance
AWS Config rule: rds-instance-deletion-protection-enabled
Schedule type: Change triggered
Parameters:
* databaseEngines:
mariadb,mysql,oracle-ee,oracle-se2,oracle-se1,oracle-se,postgres,sqlserver-ee,sqlserver-se,sqlserver-ex,sqlserver-web
This control checks whether your RDS DB instances that use one of the listed
database engines have deletion protection enabled. The control fails if an RDS
DB instance doesn't have deletion protection enabled.
Enabling instance deletion protection is an additional layer of protection
against accidental database deletion or deletion by an unauthorized entity.
While deletion protection is enabled, an RDS DB instance cannot be deleted.
Before a deletion request can succeed, deletion protection must be disabled.
REMEDIATION
To enable deletion protection for an RDS DB instance, see Modifying an Amazon
RDS DB instance in the Amazon RDS User Guide. For Deletion protection, choose
Enable deletion protection.
[RDS.9] DATABASE LOGGING SHOULD BE ENABLED
Related requirements: NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26),
NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12,
NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5
AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SC-7(9),
NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8)
Category: Identify > Logging
Severity: Medium
Resource type: AWS::RDS::DBInstance
AWS Config rule: rds-logging-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether the following logs of Amazon RDS are enabled and
sent to Amazon CloudWatch Logs:
* Oracle: (Alert, Audit, Trace, Listener)
* PostgreSQL: (Postgresql, Upgrade)
* MySQL: (Audit, Error, General, SlowQuery)
* MariaDB: (Audit, Error, General, SlowQuery)
* SQL Server: (Error, Agent)
* Aurora: (Audit, Error, General, SlowQuery)
* Aurora-MySQL: (Audit, Error, General, SlowQuery)
* Aurora-PostgreSQL: (Postgresql, Upgrade).
RDS databases should have relevant logs enabled. Database logging provides
detailed records of requests made to RDS. Database logs can assist with security
and access audits and can help to diagnose availability issues.
REMEDIATION
To publish RDS database logs to CloudWatch Logs, see Specifying the logs to
publish to CloudWatch Logs in the Amazon RDS User Guide.
[RDS.10] IAM AUTHENTICATION SHOULD BE CONFIGURED FOR RDS INSTANCES
Related requirements: NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3,
NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6
Category: Protect > Secure access management > Passwordless authentication
Severity: Medium
Resource type: AWS::RDS::DBInstance
AWS Config rule: rds-instance-iam-authentication-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether an RDS DB instance has IAM database authentication
enabled. The control fails if IAM authentication is not configured for RDS DB
instances. This control only evaluates RDS instances with the following engine
types: mysql, postgres, aurora, aurora-mysql, aurora-postgresql, and mariadb. An
RDS instance must also be in one of the following states for a finding to be
generated: available, backing-up, storage-optimization, or storage-full.
IAM database authentication allows authentication to database instances with an
authentication token instead of a password. Network traffic to and from the
database is encrypted using SSL. For more information, see IAM database
authentication in the Amazon Aurora User Guide.
REMEDIATION
To activate IAM database authentication on an RDS DB instance, see Enabling and
disabling IAM database authentication in the Amazon RDS User Guide.
[RDS.11] RDS INSTANCES SHOULD HAVE AUTOMATIC BACKUPS ENABLED
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5
CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2),
NIST.800-53.r5 SI-12, NIST.800-53.r5 SI-13(5)
Category: Recover > Resilience > Backups enabled
Severity: Medium
Resource type: AWS::RDS::DBInstance
AWS Config rule: db-instance-backup-enabled
Schedule type: Change triggered
Parameters:
* backupRetentionMinimum: 7
This control checks whether Amazon Relational Database Service instances have
automated backups enabled and the backup retention period is greater than or
equal to seven days. The control fails if backups are not enabled, and if the
retention period is less than 7 days.
Backups help you more quickly recover from a security incident and strengthens
the resilience of your systems. Amazon RDS provides an easy way to configure
daily full instance volume snapshots. For more details on Amazon RDS automated
backups, see Working with Backups in the Amazon RDS User Guide.
REMEDIATION
To enable automated backups on an RDS DB instance, see Enabling automated
backups in the Amazon RDS User Guide.
[RDS.12] IAM AUTHENTICATION SHOULD BE CONFIGURED FOR RDS CLUSTERS
Related requirements: NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3,
NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6
Category: Protect > Secure access management > Passwordless authentication
Severity: Medium
Resource type: AWS::RDS::DBCluster
AWS Config rule: rds-cluster-iam-authentication-enabled
Schedule type: Change triggered
Parameters:None
This control checks whether an Amazon RDS DB cluster has IAM database
authentication enabled.
IAM database authentication allows for password-free authentication to database
instances. The authentication uses an authentication token. Network traffic to
and from the database is encrypted using SSL. For more information, see IAM
database authentication in the Amazon Aurora User Guide.
REMEDIATION
To enable IAM authentication for a DB cluster, see Enabling and disabling IAM
database authentication in the Amazon Aurora User Guide.
[RDS.13] RDS AUTOMATIC MINOR VERSION UPGRADES SHOULD BE ENABLED
Related requirements: NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-2(2),
NIST.800-53.r5 SI-2(4), NIST.800-53.r5 SI-2(5)
Category: Detect > Vulnerability and patch management
Severity: High
Resource type: AWS::RDS::DBInstance
AWS Config rule: rds-automatic-minor-version-upgrade-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether automatic minor version upgrades are enabled for the
RDS database instance.
Enabling automatic minor version upgrades ensures that the latest minor version
updates to the relational database management system (RDBMS) are installed.
These upgrades might include security patches and bug fixes. Keeping up to date
with patch installation is an important step in securing systems.
REMEDIATION
To enable automatic minor version upgrades for an existing DB instance, see
Modifying an Amazon RDS DB instance in the Amazon RDS User Guide. For Auto minor
version upgrade, select Yes.
[RDS.14] AMAZON AURORA CLUSTERS SHOULD HAVE BACKTRACKING ENABLED
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5
CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SI-13(5)
Category: Recover > Resilience > Backups enabled
Severity: Medium
Resource type: AWS::RDS::DBCluster
AWS Config rule: aurora-mysql-backtracking-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether Amazon Aurora clusters have backtracking enabled.
Backups help you to recover more quickly from a security incident. They also
strengthens the resilience of your systems. Aurora backtracking reduces the time
to recover a database to a point in time. It does not require a database restore
to do so.
For more information about backtracking in Aurora, see Backtracking an Aurora DB
cluster in the Amazon Aurora User Guide.
REMEDIATION
For detailed instructions on how to enable Aurora backtracking, see Configuring
backtracking in the Amazon Aurora User Guide.
Note that you cannot enable backtracking on an existing cluster. Instead, you
can create a clone that has backtracking enabled. For more information about the
limitations of Aurora backtracking, see the list of limitations in Overview of
backtracking.
For information about pricing for backtracking, see the Aurora pricing page.
[RDS.15] RDS DB CLUSTERS SHOULD BE CONFIGURED FOR MULTIPLE AVAILABILITY ZONES
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2),
NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5)
Category: Recover > Resilience > High availability
Severity: Medium
Resource type: AWS::RDS::DBCluster
AWS Config rule: rds-cluster-multi-az-enabled
Schedule type: Change triggered
Parameters: None
This control checks whether high availability is enabled for your RDS DB
clusters. The control fails if an RDS DB cluster isn't deployed in multiple
Availability Zones (AZs).
RDS DB clusters should be configured for multiple AZs to ensure availability of
stored data. Deployment to multiple AZs allows for automated failover in the
event of an AZ availability issue and during regular RDS maintenance events.
REMEDIATION
To deploy your DB clusters in multiple AZs, Modifying a DB instance to be a
Multi-AZ DB instance deployment in the Amazon RDS User Guide.
Remediation steps differ for Aurora global databases. To configure multiple
Availability Zones for an Aurora global database, select your DB cluster. Then,
choose Actions and Add reader, and specify multiple AZs. For more information,
see Adding Aurora Replicas to a DB cluster in the Amazon Aurora User Guide.
[RDS.16] RDS DB CLUSTERS SHOULD BE CONFIGURED TO COPY TAGS TO SNAPSHOTS
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2,
NIST.800-53.r5 CM-2(2)
Category: Identify > Inventory
Severity: Low
Resource type: AWS::RDS::DBCluster
AWS Config rule: rds-cluster-copy-tags-to-snapshots-enabled (custom Security Hub
rule)
Schedule type: Change triggered
Parameters: None
This control checks whether RDS DB clusters are configured to copy all tags to
snapshots when the snapshots are created.
Identification and inventory of your IT assets is a crucial aspect of governance
and security. You need to have visibility of all your RDS DB clusters so that
you can assess their security posture and take action on potential areas of
weakness. Snapshots should be tagged in the same way as their parent RDS
database clusters. Enabling this setting ensures that snapshots inherit the tags
of their parent database clusters.
REMEDIATION
To automatically copy tags to snapshots for an RDS DB cluster, see Modifying the
DB cluster by using the console, CLI, and API in the Amazon Aurora User Guide.
Select Copy tags to snapshots.
[RDS.17] RDS DB INSTANCES SHOULD BE CONFIGURED TO COPY TAGS TO SNAPSHOTS
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2,
NIST.800-53.r5 CM-2(2)
Category: Identify > Inventory
Severity: Low
Resource type: AWS::RDS::DBInstance
AWS Config rule: rds-instance-copy-tags-to-snapshots-enabled (custom Security
Hub rule)
Schedule type: Change triggered
Parameters: None
This control checks whether RDS DB instances are configured to copy all tags to
snapshots when the snapshots are created.
Identification and inventory of your IT assets is a crucial aspect of governance
and security. You need to have visibility of all your RDS DB instances so that
you can assess their security posture and take action on potential areas of
weakness. Snapshots should be tagged in the same way as their parent RDS
database instances. Enabling this setting ensures that snapshots inherit the
tags of their parent database instances.
REMEDIATION
To automatically copy tags to snapshots for an RDS DB instance, see Modifying an
Amazon RDS DB instance in the Amazon RDS User Guide. Select Copy tags to
snapshots.
[RDS.18] RDS INSTANCES SHOULD BE DEPLOYED IN A VPC
Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5
AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6,
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3),
NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration > Resources within VPC
Severity: High
Resource type: AWS::RDS::DBInstance
AWS Config rule: rds-deployed-in-vpc (custom Security Hub rule)
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon RDS instance is deployed on an EC2-VPC.
VPCs provide a number of network controls to secure access to RDS resources.
These controls include VPC Endpoints, network ACLs, and security groups. To take
advantage of these controls, we recommend that you create your RDS instances on
an EC2-VPC.
REMEDIATION
For instructions on moving RDS instances to a VPC, see Updating the VPC for a DB
instance in the Amazon RDS User Guide.
[RDS.19] AN RDS EVENT NOTIFICATIONS SUBSCRIPTION SHOULD BE CONFIGURED FOR
CRITICAL CLUSTER EVENTS
IMPORTANT
Security Hub will change the title of this control in August 2023. For more
information, see Change log for Security Hub controls.
Related requirements: NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-2
Category: Detect > Detection services > Application monitoring
Severity: Low
Resource type: AWS::RDS::EventSubscription
AWS Config rule: rds-cluster-event-notifications-configured (custom Security Hub
rule)
Schedule type: Change triggered
Parameters: None
This control checks whether an existing Amazon RDS event subscription for
database clusters has notifications enabled for the following source type and
event category key-value pairs:
DBCluster: ["maintenance","failure"]
The control passes if there are no existing event subscriptions in your account.
RDS event notifications uses Amazon SNS to make you aware of changes in the
availability or configuration of your RDS resources. These notifications allow
for rapid response. For additional information about RDS event notifications,
see Using Amazon RDS event notification in the Amazon RDS User Guide.
REMEDIATION
To subscribe to RDS cluster event notifications, see Subscribing to Amazon RDS
event notification in the Amazon RDS User Guide. Use the following values:
Field Value
Source type
Clusters
Clusters to include
All clusters
Event categories to include
Select specific event categories or All event categories
[RDS.20] AN RDS EVENT NOTIFICATIONS SUBSCRIPTION SHOULD BE CONFIGURED FOR
CRITICAL DATABASE INSTANCE EVENTS
IMPORTANT
Security Hub will change the title of this control in August 2023. For more
information, see Change log for Security Hub controls.
Related requirements: NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-2
Category: Detect > Detection services > Application monitoring
Severity: Low
Resource type: AWS::RDS::EventSubscription
AWS Config rule: rds-instance-event-notifications-configured (custom Security
Hub rule)
Schedule type: Change triggered
Parameters: None
This control checks whether an existing Amazon RDS event subscription for
database instances has notifications enabled for the following source type and
event category key-value pairs:
DBInstance: ["maintenance","configuration change","failure"]
The control passes if there are no existing event subscriptions in your account.
RDS event notifications use Amazon SNS to make you aware of changes in the
availability or configuration of your RDS resources. These notifications allow
for rapid response. For additional information about RDS event notifications,
see Using Amazon RDS event notification in the Amazon RDS User Guide.
REMEDIATION
To subscribe to RDS instance event notifications, see Subscribing to Amazon RDS
event notification in the Amazon RDS User Guide. Use the following values:
Field Value
Source type
Instances
Instances to include
All instances
Event categories to include
Select specific event categories or All event categories
[RDS.21] AN RDS EVENT NOTIFICATIONS SUBSCRIPTION SHOULD BE CONFIGURED FOR
CRITICAL DATABASE PARAMETER GROUP EVENTS
Related requirements: NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-2
Category: Detect > Detection services > Application monitoring
Severity: Low
Resource type: AWS::RDS::EventSubscription
AWS Config rule: rds-pg-event-notifications-configured (custom Security Hub
rule)
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon RDS event subscription exists with
notifications enabled for the following source type, event category key-value
pairs.
DBParameterGroup: ["configuration change"]
RDS event notifications use Amazon SNS to make you aware of changes in the
availability or configuration of your RDS resources. These notifications allow
for rapid response. For additional information about RDS event notifications,
see Using Amazon RDS event notification in the Amazon RDS User Guide.
REMEDIATION
To subscribe to RDS database parameter group event notifications, see
Subscribing to Amazon RDS event notification in the Amazon RDS User Guide. Use
the following values:
Field Value
Source type
Parameter groups
Parameter groups to include
All parameter groups
Event categories to include
Select specific event categories or All event categories
[RDS.22] AN RDS EVENT NOTIFICATIONS SUBSCRIPTION SHOULD BE CONFIGURED FOR
CRITICAL DATABASE SECURITY GROUP EVENTS
Related requirements: NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-2
Category: Detect > Detection Services > Application monitoring
Severity: Low
Resource type: AWS::RDS::EventSubscription
AWS Config rule: rds-sg-event-notifications-configured (custom Security Hub
rule)
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon RDS event subscription exists with
notifications enabled for the following source type, event category key-value
pairs.
DBSecurityGroup: ["configuration change","failure"]
RDS event notifications use Amazon SNS to make you aware of changes in the
availability or configuration of your RDS resources. These notifications allow
for a rapid response. For additional information about RDS event notifications,
see Using Amazon RDS event notification in the Amazon RDS User Guide.
REMEDIATION
To subscribe to RDS instance event notifications, see Subscribing to Amazon RDS
event notification in the Amazon RDS User Guide. Use the following values:
Field Value
Source type
Security groups
Security groups to include
All security groups
Event categories to include
Select specific event categories or All event categories
[RDS.23] RDS INSTANCES SHOULD NOT USE A DATABASE ENGINE DEFAULT PORT
Related requirements: NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21),
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5)
Category: Protect > Secure network configuration
Severity: Low
Resource type: AWS::RDS::DBInstance
AWS Config rule: rds-no-default-ports (custom Security Hub rule)
Schedule type: Change triggered
Parameters: None
This control checks whether an RDS cluster or instance uses a port other than
the default port of the database engine. The control fails if the RDS cluster or
instance uses the default port.
If you use a known port to deploy an RDS cluster or instance, an attacker can
guess information about the cluster or instance. The attacker can use this
information in conjunction with other information to connect to an RDS cluster
or instance or gain additional information about your application.
When you change the port, you must also update the existing connection strings
that were used to connect to the old port. You should also check the security
group of the DB instance to ensure that it includes an ingress rule that allows
connectivity on the new port.
REMEDIATION
To modify the default port of an existing RDS DB instance, see Modifying an
Amazon RDS DB instance in the Amazon RDS User Guide. To modify the default port
of an existing RDS DB cluster, see Modifying the DB cluster by using the
console, CLI, and API in the Amazon Aurora User Guide. For Database port, change
the port value to a non-default value.
[RDS.24] RDS DATABASE CLUSTERS SHOULD USE A CUSTOM ADMINISTRATOR USERNAME
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2
Category: Identify > Resource Configuration
Severity: Medium
Resource type: AWS::RDS::DBCluster
AWS Config rule: rds-cluster-default-admin-check
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon RDS database cluster has changed the admin
username from its default value. The control does not apply to engines of the
type neptune (Neptune DB) or docdb (DocumentDB). This rule will fail if the
admin username is set to the default value.
When creating an Amazon RDS database, you should change the default admin
username to a unique value. Default usernames are public knowledge and should be
changed during RDS database creation. Changing the default usernames reduces the
risk of unintended access.
REMEDIATION
For changing the admin username associated with the Amazon RDS database cluster,
create a new RDS database cluster and change the default admin username while
creating the database.
[RDS.25] RDS DATABASE INSTANCES SHOULD USE A CUSTOM ADMINISTRATOR USERNAME
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2
Category: Identify > Resource Configuration
Severity: Medium
Resource type: AWS::RDS::DBInstance
AWS Config rule: rds-instance-default-admin-check
Schedule type: Change triggered
Parameters: None
This control checks whether you've changed the administrative username for
Amazon Relational Database Service (Amazon RDS) database instances from the
default value. The control does not apply to engines of the type neptune
(Neptune DB) or docdb (DocumentDB). The control fails if the administrative
username is set to the default value.
Default administrative usernames on Amazon RDS databases are public knowledge.
When creating an Amazon RDS database, you should change the default
administrative username to a unique value to reduce the risk of unintended
access.
REMEDIATION
To change the administrative username associated with an RDS database instance,
first create a new RDS database instance. Change the default administrative
username while creating the database.
[RDS.26] RDS DB INSTANCES SHOULD BE COVERED BY A BACKUP PLAN
Category: Recover > Resilience > Backups enabled
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5
CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2),
NIST.800-53.r5 SI-12, NIST.800-53.r5 SI-13(5)
Severity: Medium
Resource type: AWS::RDS::DBInstance
AWS Config rule: rds-resources-protected-by-backup-plan
Schedule type: Periodic
Parameters: None
This control evaluates if Amazon RDS DB instances are covered by a backup plan.
This control fails if an RDS DB instance isn't covered by a backup plan.
AWS Backup is a fully managed backup service that centralizes and automates the
backing up of data across AWS services. With AWS Backup, you can create backup
policies called backup plans. You can use these plans to define your backup
requirements, such as how frequently to back up your data and how long to retain
those backups. Including RDS DB instances in a backup plan helps you protect
your data from unintended loss or deletion.
REMEDIATION
To add an RDS DB instance to an AWS Backup backup plan, see Assigning resources
to a backup plan in the AWS Backup Developer Guide.
[RDS.27] RDS DB CLUSTERS SHOULD BE ENCRYPTED AT REST
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6),
NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1),
NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6)
Category: Protect > Data protection > Encryption of data at rest
Severity: Medium
Resource type: AWS::RDS::DBCluster
AWS Config rule: rds-cluster-encrypted-at-rest
Schedule type: Change triggered
Parameters: None
This control checks if an RDS DB cluster is encrypted at rest. The control fails
if an RDS DB cluster isn't encrypted at rest.
Data at rest refers to any data that's stored in persistent, non-volatile
storage for any duration. Encryption helps you protect the confidentiality of
such data, reducing the risk that an unauthorized user can access it. Encrypting
your RDS DB clusters protects your data and metadata against unauthorized
access. It also fulfills compliance requirements for data-at-rest encryption of
production file systems.
REMEDIATION
You can enable encryption at rest when you create an RDS DB cluster. You can't
change encryption settings after creating a cluster. For more information, see
Encrypting an Amazon Aurora DB cluster in the Amazon Aurora User Guide.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
OpenSearch Service controls
Amazon Redshift controls
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
DID THIS PAGE HELP YOU?
Yes
No
Provide feedback
NEXT TOPIC:
Amazon Redshift controls
PREVIOUS TOPIC:
OpenSearch Service controls
NEED HELP?
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE
* [RDS.1] RDS snapshot should be private
* [RDS.2] RDS DB Instances should prohibit public access, as determined by the
PubliclyAccessible AWS Configuration
* [RDS.3] RDS DB instances should have encryption at-rest enabled
* [RDS.4] RDS cluster snapshots and database snapshots should be encrypted at
rest
* [RDS.5] RDS DB instances should be configured with multiple Availability
Zones
* [RDS.6] Enhanced monitoring should be configured for RDS DB instances
* [RDS.7] RDS clusters should have deletion protection enabled
* [RDS.8] RDS DB instances should have deletion protection enabled
* [RDS.9] Database logging should be enabled
* [RDS.10] IAM authentication should be configured for RDS instances
* [RDS.11] RDS instances should have automatic backups enabled
* [RDS.12] IAM authentication should be configured for RDS clusters
* [RDS.13] RDS automatic minor version upgrades should be enabled
* [RDS.14] Amazon Aurora clusters should have backtracking enabled
* [RDS.15] RDS DB clusters should be configured for multiple Availability Zones
* [RDS.16] RDS DB clusters should be configured to copy tags to snapshots
* [RDS.17] RDS DB instances should be configured to copy tags to snapshots
* [RDS.18] RDS instances should be deployed in a VPC
* [RDS.19] An RDS event notifications subscription should be configured for
critical cluster events
* [RDS.20] An RDS event notifications subscription should be configured for
critical database instance events
* [RDS.21] An RDS event notifications subscription should be configured for
critical database parameter group events
* [RDS.22] An RDS event notifications subscription should be configured for
critical database security group events
* [RDS.23] RDS instances should not use a database engine default port
* [RDS.24] RDS Database clusters should use a custom administrator username
* [RDS.25] RDS database instances should use a custom administrator username
* [RDS.26] RDS DB instances should be covered by a backup plan
* [RDS.27] RDS DB clusters should be encrypted at rest
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback