Best practice rules for Amazon Relational Database Service
AWS Relational Database Service (RDS) enables you to quickly and easily launch, configure, operate, and scale relational databases. RDS provides a cost-effective and scalable capacity while eliminating the need for time-consuming database administration tasks. The following database engines are available in RDS:
- Oracle
- Microsoft SQL Server
- Amazon Aurora
- PostgreSQL
- MySQL
- MariaDB
- Amazon RDS Configuration Changes
Amazon Relational Database Service (RDS) configuration changes have been detected in your AWS account.
- Amazon RDS Public Snapshots
Ensure that your Amazon RDS database snapshots are not accessible to all AWS accounts.
- Aurora Database Cluster Activity Streams
Ensure that Amazon Aurora clusters are configured to use database activity streams.
- Aurora Database Instance Accessibility
Ensure that all database instances within an Amazon Aurora cluster have the same accessibility.
- Backtrack
Enable Amazon Aurora Backtrack.
- Cluster Deletion Protection
Enable AWS RDS Cluster Deletion Protection.
- DB Instance Generation
Ensure you always use the latest generation of DB instances to get better performance with lower cost.
- Enable AWS RDS Transport Encryption
Ensure AWS RDS SQL Server and Postgre instances have Transport Encryption feature enabled.
- Enable Aurora Cluster Copy Tags to Snapshots
Ensure that Amazon Aurora clusters have Copy Tags to Snapshots feature enabled.
- Enable Deletion Protection for Aurora Serverless Clusters
Ensure that the Deletion Protection feature is enabled for your Aurora Serverless clusters.
- Enable Instance Storage AutoScaling
Ensure that the Storage AutoScaling feature is enabled to support unpredictable database workload.
- Enable RDS Snapshot Encryption
Ensure that AWS RDS snapshots are encrypted to meet security and compliance requirements.
- Enable Serverless Log Exports
Ensure Log Exports feature is enabled for your Amazon Aurora Serverless databases.
- IAM Database Authentication
Enable IAM Database Authentication.
- Idle RDS Instance
Identify idle AWS RDS database instances and terminate them to optimize AWS costs.
- Instance Deletion Protection
Enable AWS RDS Instance Deletion Protection.
- Instance Level Events Subscriptions
Enable Event Subscriptions for Instance Level Events.
- Log Exports
Enable AWS RDS Log Exports.
- Overutilized AWS RDS Instances
Identify overutilized RDS instances and upgrade them in order to optimize database workload and response time.
- Performance Insights
Enable AWS RDS Performance Insights.
- RDS Auto Minor Version Upgrade
Ensure Auto Minor Version Upgrade is enabled for RDS to automatically receive minor engine upgrades during the maintenance window.
- RDS Automated Backups Enabled
Ensure automated backups are enabled for RDS instances. This feature of Amazon RDS enables point-in-time recovery of your database instance.
- RDS Copy Tags to Snapshots
Enable RDS Copy Tags to Snapshots.
- RDS Default Port
Ensure Amazon RDS database instances aren't using the default ports.
- RDS Desired Instance Type
Ensure fewer Amazon RDS instances than the established limit in your AWS account.
- RDS Encrypted With KMS Customer Master Keys
Ensure RDS instances are encrypted with CMKs to have full control over encrypting and decrypting data.
- RDS Encryption Enabled
Ensure encryption is setup for RDS instances to fulfill compliance requirements for data-at-rest encryption.
- RDS Event Notifications
Enable event notifications for RDS.
- RDS Free Storage Space
Identify RDS instances with low free storage space and scale them in order to optimize their performance.
- RDS General Purpose SSD
Ensure RDS instances are using General Purpose SSD storage instead of Provisioned IOPS SSD storage to optimize the RDS service costs.
- RDS Instance Counts
Ensure fewer Amazon RDS instances than the established limit in your AWS account.
- RDS Instance Not In Public Subnet
Ensure that no AWS RDS database instances are provisioned inside VPC public subnets.
- RDS Master Username
Ensure AWS RDS instances are using secure and unique master usernames for their databases.
- RDS Multi-AZ
Ensure RDS instances are launched into Multi-AZ.
- RDS Publicly Accessible
Ensure RDS instances aren't public facing to minimise security risks.
- RDS Reserved DB Instance Lease Expiration In The Next 30 Days
Ensure Amazon RDS Reserved Instances (RI) are renewed before expiration.
- RDS Reserved DB Instance Lease Expiration In The Next 7 Days
Ensure Amazon RDS Reserved Instances (RI) are renewed before expiration.
- RDS Reserved DB Instance Payment Failed
Ensure AWS RDS Reserved Instance purchases have not failed.
- RDS Reserved DB Instance Payment Pending
Ensure Amazon RDS Reserved Instance purchases are not pending.
- RDS Reserved DB Instance Recent Purchases
Ensure RDS Reserved Instance purchases are regularly reviewed for cost optimization (informational).
- RDS Sufficient Backup Retention Period
Ensure RDS instances have sufficient backup retention period for compliance purposes.
- Rotate SSL/TLS Certificates for Database Instances
Ensure that SSL/TLS certificates for RDS database instances are rotated according to the AWS schedule.
- Security Groups Events Subscriptions
Enable Event Subscriptions for DB Security Groups Events.
- Underutilized RDS Instance
Identify underutilized RDS instances and downsize them in order to optimize your AWS costs.
- Unrestricted DB Security Group
Ensure there aren’t any unrestricted DB security groups assigned to your RDS instances.
- Unused RDS Reserved Instances
Ensure that your Amazon RDS Reserved Instances are being fully utilized.
- Use AWS Backup Service in Use for Amazon RDS
Ensure that Amazon Backup service is used to manage AWS RDS database snapshots.