By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesVPC Endpoint PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

RDS Security Controls

Aurora MySQL Cluster (w/ Secrets Manager)

Configuration template to launch an Aurora cluster with MySQL compatibility with one or more instances. The template also includes a new DB subnet group to specify the subnets for the cluster instances to be created as well as a new AWS Secrets Manager secret to store the password

Settings for customizing the template include:

  • RDS Settings:
    • Engine and Engine Version, DB Instance Type
    • (Aurora) Cluster Name and Number of Instances 
    • (RDS) Allocated Storage and Storage Type
    • (RDS) Enable Multi-AZ 
    • Encryption Storage and Deletion Protection
  • Create a new DB Subnet Group to specify the Subnet Ids for the RDS Cluster or Instance or reference an existing DB Subnet Group for the RDS Cluster or Instance
  • (Optional) Database Settings which include Database Name, Port, Username and Password
    • Password by default is a random string that is generated and stored in AWS Secrets Manager, edit the secret properties using the Edit Secret Settings
    • Optionally provide the password as clear-text (not recommended)
  • Maintenance and Backup options such as Backup Retention Period, preferred Backup and Maintenance Windows
Items
4
Size
1.4 KB
Missing Parameters
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  DbSecret:
    Type: "AWS::SecretsManager::Secret"
    Properties:
      KmsKeyId: "alias/aws/secretsmanager"
      GenerateSecretString:
        ExcludeLowercase: false
        ExcludeNumbers: false
        ExcludePunctuation: false
        ExcludeUppercase: false
        PasswordLength: 32
        ExcludeCharacters: "/\"@\\"
  RdsDBSubnetGroup:
    Type: "AWS::RDS::DBSubnetGroup"
    Properties:
      DBSubnetGroupName: "custom-subnet-group"
      DBSubnetGroupDescription: "custom subnet group"
      SubnetIds:
        - ""
  RdsCluster:
    Type: "AWS::RDS::DBCluster"
    Properties:
      Engine: "aurora-mysql"
      EngineVersion: "5.7.mysql_aurora.2.10.0"
      DBClusterIdentifier: "aurora-mysql-cluster"
      DBSubnetGroupName:
        Ref: "RdsDBSubnetGroup"
      MasterUsername: "dbadmin"
      MasterUserPassword:
        Fn::Sub: "{{resolve:secretsmanager:${DbSecret}}}"
      Port: "3306"
      StorageEncrypted: false
      BackupRetentionPeriod: 1
      DeletionProtection: false
  RdsClusterInstance1:
    Type: "AWS::RDS::DBInstance"
    Properties:
      Engine: "aurora-mysql"
      DBClusterIdentifier:
        Ref: "RdsCluster"
      DBInstanceIdentifier: "aurora-mysql-clusterInstance1"
      DBInstanceClass: "db.t3.medium"
      DBSubnetGroupName:
        Ref: "RdsDBSubnetGroup"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

RDS Settings

Database Settings

Network Settings

Maintenance & Backup

* Required field