Benchmark: RDS
Description
This section contains recommendations for configuring RDS resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select RDS.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.all_controls_rdsSnapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.all_controls_rds --shareControls
- RDS Aurora clusters should have backtracking enabled
- Aurora MySQL DB clusters should have audit logging enabled
- RDS Aurora PostgreSQL clusters should not be exposed to local file read vulnerability
- RDS Aurora clusters should be protected by backup plan
- RDS DB clusters should have automatic minor version upgrade enabled
- RDS DB clusters should be configured to copy tags to snapshots
- RDS clusters should have deletion protection enabled
- RDS DB clusters should be encrypted with CMK
- RDS DB clusters should be encrypted at rest
- An RDS event notifications subscription should be configured for critical cluster events
- IAM authentication should be configured for RDS clusters
- RDS DB clusters should be configured for multiple Availability Zones
- RDS database clusters should use a custom administrator username
- RDS DB instance and cluster enhanced monitoring should be enabled
- RDS databases and clusters should not use a database engine default port
- RDS DB instance automatic minor version upgrade should be enabled
- RDS DB instance backup should be enabled
- RDS DB instances backup retention period should be greater than or equal to 7
- RDS DB instances CA certificates should not expire within next 7 days
- RDS DB instances should be integrated with CloudWatch logs
- RDS DB instances connections should be encrypted
- RDS DB instances should be configured to copy tags to snapshots
- RDS DB instances should have deletion protection enabled
- RDS DB instance encryption at rest should be enabled
- An RDS event notifications subscription should be configured for critical database instance events
- RDS DB instances should have iam authentication enabled
- RDS DB instances should be in a backup plan
- RDS instances should be deployed in a VPC
- Database logging should be enabled
- RDS DB instance multiple az should be enabled
- RDS database instances should use a custom administrator username
- RDS DB instances should not use public subnet
- RDS PostgreSQL DB instances should not be exposed to local file read vulnerability
- RDS DB instances should prohibit public access
- RDS DB instance should be protected by backup plan
- An RDS event notifications subscription should be configured for critical database parameter group events
- An RDS event notifications subscription should be configured for critical database security group events
- RDS DB snapshots should be encrypted at rest
- RDS snapshots should prohibit public access