Best practice rules for Amazon Relational Database Service
AWS Relational Database Service (RDS) enables you to quickly and easily launch, configure, operate, and scale relational databases. RDS provides a cost-effective and scalable capacity while eliminating the need for time-consuming database administration tasks. The following database engines are available in RDS:
- Oracle
- Microsoft SQL Server
- Amazon Aurora
- PostgreSQL
- MySQL
- MariaDB
Trend Micro Cloud One™ – Conformity monitors Amazon Relational Database Service with the following rules:
- Amazon RDS Configuration Changes
Amazon Relational Database Service (RDS) configuration changes have been detected in your AWS account.
- Amazon RDS Public Snapshots
Ensure that your Amazon RDS database snapshots are not accessible to all AWS accounts.
- Aurora Database Instance Accessibility
Ensure that all database instances within an AWS Aurora cluster have the same accessibility.
- Backtrack
Ensure that Amazon Aurora MySQL database clusters have backtracking enabled.
- Cluster Deletion Protection
Ensure that Deletion Protection feature is enabled for your Aurora database clusters (provisioned and serverless).
- DB Instance Generation
Ensure AWS RDS instances are using the latest generation of instance classes for cost and performance improvements.
- Enable AWS RDS Transport Encryption
Ensure AWS RDS SQL Server instances have Transport Encryption feature enabled.
- Enable Amazon RDS Storage AutoScaling
Ensure that RDS Storage AutoScaling feature is enabled to support unpredictable database workload.
- Enable Aurora Cluster Copy Tags to Snapshots
Ensure that Amazon Aurora clusters have Copy Tags to Snapshots feature enabled.
- Enable RDS Log Exports
Ensure Log Exports feature is enabled for your AWS RDS MySQL, Aurora and MariaDB database instances.
- Enable RDS Snapshot Encryption
Ensure that AWS RDS snapshots are encrypted to meet security and compliance requirements.
- Enable Serverless Log Exports
Ensure Log Exports feature is enabled for your Amazon Aurora Serverless databases.
- IAM Database Authentication for RDS
Ensure IAM Database Authentication feature is enabled for your AWS RDS MySQL and PostgreSQL database instances.
- Idle RDS Instance
Identify idle AWS RDS database instances and terminate them to optimize AWS costs.
- Instance Deletion Protection
Ensure Deletion Protection feature is enabled for your AWS RDS database instances.
- Instance Level Events Subscriptions
Ensure RDS event subscriptions are enabled for instance level events.
- Overutilized AWS RDS Instances
Identify overutilized RDS instances and upgrade them in order to optimize database workload and response time.
- Performance Insights
Ensure Performance Insights feature is enabled for your Amazon RDS database instances.
- RDS Auto Minor Version Upgrade
Ensure AWS RDS instances have the Auto Minor Version Upgrade feature enabled.
- RDS Automated Backups Enabled
Ensure AWS RDS instances have Automated Backups feature enabled.
- RDS Copy Tags to Snapshots
Ensure that Amazon RDS instances have Copy Tags to Snapshots feature enabled.
- RDS Default Port
Ensure Amazon RDS database instances are not using the default ports.
- RDS Desired Instance Type
Ensure fewer Amazon RDS instances than the established limit in your AWS account.
- RDS Encrypted With KMS Customer Master Keys
Ensure RDS instances are encrypted with KMS CMKs in order to have full control over data encryption and decryption.
- RDS Encryption Enabled
Ensure AWS RDS instances are encrypted to meet security and compliance requirements.
- RDS Event Notifications
Ensure event notifications are enabled for your Amazon Relational Database Service (RDS) resources.
- RDS Free Storage Space
Identify RDS instances with low free storage space and scale them in order to optimize their performance.
- RDS General Purpose SSD
Ensure RDS instances are using General Purpose SSD storage instead of Provisioned IOPS SSD storage to optimize the RDS service costs.
- RDS Instance Counts
Ensure fewer Amazon RDS instances than the established limit in your AWS account.
- RDS Instance Not In Public Subnet
Ensure no RDS database instances are running within AWS VPC public subnets.
- RDS Master Username
Ensure AWS RDS instances are using secure and unique master usernames for their databases.
- RDS Multi-AZ
Ensure AWS RDS clusters have the Multi-AZ feature enabled.
- RDS Publicly Accessible
Ensure RDS database instances are not publicly accessible and prone to security risks.
- RDS Reserved DB Instance Lease Expiration In The Next 30 Days
Ensure Amazon RDS Reserved Instances (RI) are renewed before expiration.
- RDS Reserved DB Instance Lease Expiration In The Next 7 Days
Ensure Amazon RDS Reserved Instances (RI) are renewed before expiration.
- RDS Reserved DB Instance Payment Failed
Ensure AWS RDS Reserved Instance purchases have not failed.
- RDS Reserved DB Instance Payment Pending
Ensure Amazon RDS Reserved Instance purchases are not pending.
- RDS Reserved DB Instance Recent Purchases
Ensure RDS Reserved Instance purchases are regularly reviewed for cost optimization (informational).
- RDS Sufficient Backup Retention Period
Ensure AWS RDS instances have sufficient backup retention period for compliance purposes.
- Security Groups Events Subscriptions
Ensure RDS event subscriptions are enabled for DB security groups.
- Underutilized RDS Instance
Identify underutilized RDS instances and downsize them in order to optimize your AWS costs.
- Unrestricted DB Security Group
Ensure there aren’t any unrestricted DB security groups assigned to your RDS instances.
- Unused RDS Reserved Instances
Ensure that your Amazon RDS Reserved Instances are being fully utilized.
- Use AWS Backup Service in Use for Amazon RDS
Ensure that Amazon Backup service is used to manage AWS RDS database snapshots.