RDS/Aurora Security Report

Please watch demo video https://www.youtube.com/watch?v=6-KoWTIdLa8

You need to install this on a bastion host or ec2 machine which has access to your RDS instances. Once you install it , you need to configure your AWS cli before running the tool(access key , secret key , region etc..). Once AWS cli is configured you can execute command as shown below(NOTE – It only runs for one region at a time ). You need to select Option 3 for RDS

How to read the json output file generated ?

For each control you will get a PASS or FAIL as status . If it is FAIL you also can see the reason for failure . For example in below snapshot you can see that SNS topic control failed and the reason for failure is given

Ensure that encryption is enabled for RDS instances

Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances . Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure

This check validates if all your RDS instances are encrypted or not . If you get a FAIL for this control it is a big red flag and it is highly recommended that you turn on encryption for your RDS instances

Ensure that auto minor version upgrade is enabled for RDS instances

Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to automatically receive minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines

You can also manually validate with a cli command like below

aws rds describe-db-instances –region –db-instance-identifier –query ‘DBInstances[*].AutoMinorVersionUpgrade’

Ensure that public address is not given to RDS instance

Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks.

If any of your RDS instances are public facing , Kindly rectify this issue ASAP

Ensure that Multi-AZ enabled for high availability

Multi-AZ enables high availability – This check ensures that a failure of single instance will not impact your availability (Note – Multi-AZ may not be needed for test environments . It all depends on the criticality of app , business condition etc..)

You can also manually validate with a cli command like below

aws rds describe-db-instances –query “DBInstances[*].{MultiAZ:MultiAZ, DBInstanceIdentifier:DBInstanceIdentifier}”

Ensure Relational Database Service backup retention policy is set

It is better to have good backup retention policy set for your RDS instances – Having old backups will help you in recovering your data . This check ensures that your retention policy is set to a value equal or greater than 7 days

Ensure SNS topic is created for RDS events

For the RDS event subscriptions to be able to send out notifications, a SNS topic should be created. Amazon Simple Notification Service (Amazon SNS) is a web service that coordinates and manages the delivery or sending of messages to subscribing endpoints or clients.

This check ensures that you have sns topic and event subscriptions for your RDS instances

Ensure RDS event subscriptions are enabled for Instance level events

Below are some of the instance level events we check here – It is better to have event subscriptions for all of below

• ‘deletion’

• ‘failure’

• ‘failover’

• ‘low storage’

• ‘Maintenance’

• ‘notification’

Ensure RDS event subscriptions are enabled for DB security groups

This check ensures that event subscriptions are enabled for DB security groups. Security group controls the access to RDS instance and changing it should be notified