Use the Conformity Knowledge Base AI to help improve your Cloud Posture

RDS Instance Counts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: RDS-024

Ensure that the number of RDS database instances provisioned in your AWS account has not reached the limit quota established by your organization for the RDS workload deployed. By default, Cloud Conformity sets a threshold value of 10 for the maximum number of provisioned database instances, however, you have the capability to adjust this threshold based on your organization requirements, upon enabling this rule. Once you define your own threshold for the maximum number of RDS instances that you need to run across all AWS regions, Cloud Conformity engine will start to continuously check your account for RDS instances (including Read Replicas for Multi-AZ deployments) and when the number of instances reach the specified count (threshold) you will get notified via communication channels configured within your Cloud Conformity account. If the RDS limit quota defined for your AWS account is reached, you can raise an AWS support case where you can request to limit the number of provisioned RDS instances based on your requirements.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Monitoring and setting limits for the maximum number of RDS instances provisioned within your AWS account will help you to manage better your database compute resources, prevent unexpected charges on your AWS bill and act fast to mitigate attacks. For example, users within your organization can create more RDS resources than the number established in the company policy, exceeding the monthly budget allocated for cloud computing resources. Another example could be a misconfiguration in your CloudFormation templates that can lead to creating more database instances than required. Furthermore, if your AWS account security has been compromised and the attacker is creating a large number of RDS resources within your account, you risk to accrue a lot of AWS charges in a short period of time and this can affect your business.

Note: The threshold for the maximum number of RDS database instances per AWS account set for this conformity rule is 10 (default value).


Audit

To determine the number of RDS database instances (including RDS Read Replicas) currently available within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under RDS Dashboard section, choose Instances.

04 Select All instances option from the Filter dropdown list to return the list with all RDS instances, including Read Replicas, provisioned within the selected region.

05 Check the total number of RDS instances available in the current AWS region, listed in the top-right section of the dashboard, e.g.

total number of RDS instances

06 Change the AWS region from the navigation bar and repeat step no. 4 and 5 for all other regions. If the total number of available RDS database instances provisioned in your AWS account is greater than 10, the recommended threshold was exceeded, therefore you must take action and raise an AWS support case to limit the number of instances based on your requirements (see Remediation/Resolution section).

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) using custom query filters to list the identifiers (names) of all the RDS database instances (including RDS Read Replicas), available in the selected region:

aws rds describe-db-instances
	--region us-east-1
	--query 'DBInstances[*].[DBInstanceIdentifier,ReadReplicaDBInstanceIdentifiers]'

02 The command output should return an array with the requested database instances:

[
    [
        "cc-mysql-prod-db",
        []
    ],
    [
        "cc-mysql-webdev-db",
        []
    ],
    [
        "cc-test-database",
        []
    ],

    ...

    [
        "cc-postgresql-db",
        []
    ],
    [
        "cc-internal-db",
        []
    ],
    [
        "cc-mariadb-project",
        []
    ]
]

03 Repeat step no. 1 and 2 to perform the process for all other AWS regions. Each command output should return an array with the instance identifiers, including Read Replica identifiers, available in the selected region. Each instance identifier returned represents an individual RDS database instance. If the total number of identifiers within all the arrays returned is greater than 10 (combined), the recommended limit threshold was exceeded, therefore you must take action and raise an AWS support case to limit the number of RDS instances that can be provisioned in your account.

Remediation / Resolution

To build an AWS support case in order to limit the number of provisioned RDS database instances based on your requirements, perform the following actions:

Note: Requesting a limit for the number of RDS instances per region using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center dashboard at https://console.aws.amazon.com/support/.

03 In the left navigation panel, choose Create Case to create a new AWS support case.

04 On the Create Case page, perform the following:

  1. Under Regarding, select Service Limit Increase.
  2. Choose RDS from the Limit Type dropdown list.
  3. In the Request 1 section, perform the following actions:
    • From the Region dropdown list, select the AWS region where you need to limit the creation of RDS database instances.
    • Select DB Instances from the Limit dropdown list.
    • In the New limit value box, enter the limit value to request for the number of provisioned database instances.
  4. In the Use Case Description textbox, enter a small description where you explain the limit request so AWS support can evaluate your case faster.
  5. From Supported Language, choose your preferred correspondence language for the current case.
  6. Under Contact method, select a preferred contact method that AWS support team can use to respond to your request.
  7. Click Submit to send the limit request to Amazon Web Services. A customer support representative will contact you shortly.

References

Publication date Sep 13, 2017