RDS Security

AWS security controls to help protect Amazon RDS. Controls include IAM policies and Config rules.

A policy that allows restoring RDS databases. This policy also provides the permissions necessary to complete this action programmatically and in the console.

A policy that allows tag owners full access to RDS resources that they have tagged (Tag key: Owner, Tag Value: <IAM username>). This policy provides the permissions necessary to complete this action using the AWS...

An IAM policy that allows users to only launch RDS instances of a specific instance type and database engine (Default: t2.micro and mysql).

An IAM policy that grants permissions to allow a user to only create a DB instance that must use specific DB parameter group and DB security group.

An IAM policy that prevents a user from deleting a specific DB instance.

Checks whether storage encryption is enabled for your RDS DB instances.

Checks whether high availability is enabled for your RDS DB instances. (Note: This rule does not evaluate Amazon Aurora databases.)

Check that no RDS Instances are in Public Subnet.

A Config rule that checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public.

A config rule that checks whether RDS DB instances have backups enabled. Optionally, the rule checks the backup retention period and the backup window.

A config rule that checks whether the Amazon Relational Database Service instances are not publicaly accessible. The rule is NON_COMPLIANT if the publiclyAccessible field is true in the instance configuration item.

A security group that allows inbound access to a Maria DB instance.

A security group that allows inbound access to a Microsoft SQL server instance.

A security group that allows inbound access to a MySQL server instance.

A security group that allows inbound access to an Oracle server instance.

A security group that allows inbound access to an PostgreSQL server instance.