Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1612Benchmarks
682Queries
9Variables
GitHub

Control: 43 RDS DB proxies should require TLS encryption for connections

Description

This control checks whether an Amazon RDS DB proxy requires TLS for all connections between the proxy and the underlying RDS DB instance. The control fails if the proxy doesn't require TLS for all connections between the proxy and the RDS DB instance.

Amazon RDS Proxy can act as an additional layer of security between client applications and underlying RDS DB instances. For example, you can connect to an RDS proxy using TLS 1.3, even if the underlying DB instance supports an older version of TLS. By using RDS Proxy, you can enforce strong authentication requirements for database applications.

Remediation

For information about changing the settings for an Amazon RDS proxy to require TLS, see Modifying an RDS proxy in the Amazon Relational Database Service User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_rds_43

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_rds_43 --share

SQL

This control uses a named query:

select
  db_proxy_arn as resource,
  case
    when require_tls then 'ok'
    else 'alarm'
  end as status,
  case
    when require_tls then title || ' requires TLS for all connections.'
    else title || ' does not require TLS for all connections.'
  end as reason
  
  , region, account_id
from
  aws_rds_db_proxy;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = encryption_of_data_in_transit
foundational_security_item_id = rds_43
plugin = aws
service = AWS/RDS