RDS/Aurora Security Report
Last updated
Last updated
Please watch demo video https://www.youtube.com/watch?v=6-KoWTIdLa8
You need to install this on a bastion host or ec2 machine which has access to your RDS instances. Once you install it , you need to configure your AWS cli before running the tool(access key , secret key , region etc..). Once AWS cli is configured you can execute command as shown below(NOTE – It only runs for one region at a time ). You need to select Option 3 for RDS
For each control you will get a PASS or FAIL as status . If it is FAIL you also can see the reason for failure . For example in below snapshot you can see that SNS topic control failed and the reason for failure is given
Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances . Databases are likely to hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access or disclosure
This check validates if all your RDS instances are encrypted or not . If you get a FAIL for this control it is a big red flag and it is highly recommended that you turn on encryption for your RDS instances
Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to automatically receive minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines
You can also manually validate with a cli command like below
aws rds describe-db-instances –region –db-instance-identifier –query ‘DBInstances[*].AutoMinorVersionUpgrade’
Ensure that no public-facing RDS database instances are provisioned in your AWS account and restrict unauthorized access in order to minimize security risks.
If any of your RDS instances are public facing , Kindly rectify this issue ASAP
Multi-AZ enables high availability – This check ensures that a failure of single instance will not impact your availability (Note – Multi-AZ may not be needed for test environments . It all depends on the criticality of app , business condition etc..)
You can also manually validate with a cli command like below
aws rds describe-db-instances –query “DBInstances[*].{MultiAZ:MultiAZ, DBInstanceIdentifier:DBInstanceIdentifier}”
It is better to have good backup retention policy set for your RDS instances – Having old backups will help you in recovering your data . This check ensures that your retention policy is set to a value equal or greater than 7 days
For the RDS event subscriptions to be able to send out notifications, a SNS topic should be created. Amazon Simple Notification Service (Amazon SNS) is a web service that coordinates and manages the delivery or sending of messages to subscribing endpoints or clients.
This check ensures that you have sns topic and event subscriptions for your RDS instances
Below are some of the instance level events we check here – It is better to have event subscriptions for all of below
‘deletion’
‘failure’
‘failover’
‘low storage’
‘Maintenance’
‘notification’
This check ensures that event subscriptions are enabled for DB security groups. Security group controls the access to RDS instance and changing it should be notified