Benchmark: RDS
Overview
This section contains recommendations for configuring AWS RDS resources and options.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select RDS.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.foundational_security_rdsSnapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.foundational_security_rds --shareControls
- 1 RDS snapshots should be private
- 2 RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration
- 3 RDS DB instances should have encryption at rest enabled
- 4 RDS cluster snapshots and database snapshots should be encrypted at rest
- 5 RDS DB instances should be configured with multiple Availability Zones
- 6 Enhanced monitoring should be configured for RDS DB instances and clusters
- 7 RDS clusters should have deletion protection enabled
- 8 RDS DB instances should have deletion protection enabled
- 9 RDS DB instances should publish logs to CloudWatch Logs
- 10 IAM authentication should be configured for RDS instances
- 11 RDS instances should have automatic backups enabled
- 12 IAM authentication should be configured for RDS clusters
- 13 RDS automatic minor version upgrades should be enabled
- 14 Amazon Aurora clusters should have backtracking enabled
- 15 RDS DB clusters should be configured for multiple Availability Zones
- 16 RDS DB clusters should be configured to copy tags to snapshots
- 17 RDS DB instances should be configured to copy tags to snapshots
- 18 RDS instances should be deployed in a VPC
- 19 Existing RDS event notification subscriptions should be configured for critical cluster events.
- 20 Existing RDS event notification subscriptions should be configured for critical database instance events
- 21 An RDS event notifications subscription should be configured for critical database parameter group events
- 22 An RDS event notifications subscription should be configured for critical database security group events
- 23 RDS databases and clusters should not use a database engine default port
- 24 RDS database clusters should use a custom administrator username
- 25 RDS database instances should use a custom administrator username
- 27 RDS DB clusters should be encrypted at rest
- 34 Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs
- 35 RDS DB clusters should have automatic minor version upgrade enabled