Benchmark: RDS
Description
This benchmark provides a set of controls that detect Terraform AWS RDS resources deviating from security best practices.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-terraform-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select RDS.
Run this benchmark in your terminal:
powerpipe benchmark run terraform_aws_compliance.benchmark.rdsSnapshot and share results via Turbot Pipes:
powerpipe benchmark run terraform_aws_compliance.benchmark.rds --shareControls
- MemoryDB clusters should be encrypted with KMS CMK
- MemoryDB clusters should have encryption in transit enabled
- MemoryDB snapshots should be encrypted with KMS CMK
- RDS DB cluster activity stream should be encrypted with KMS CMK
- Amazon Aurora clusters should have backtracking enabled
- RDS DB clusters should be configured to copy tags to snapshots
- RDS clusters should have deletion protection enabled
- RDS DB clusters should be encrypted using KMS CMK
- RDS DB clusters should have encryption at rest enabled
- An RDS event notifications subscription should be configured for critical cluster events
- IAM authentication should be configured for RDS clusters
- RDS DB cluster instances should have auto minor version upgrade enabled
- RDS DB cluster instances should have performance insights enabled
- RDS DB cluster instances should have performance insights encrypted with KMS CMK
- RDS DB clusters should be configured for multiple Availability Zones
- RDS DB instance and cluster enhanced monitoring should be enabled
- RDS databases and clusters should not use a database engine default port
- RDS DB instance automatic minor version upgrade should be enabled
- RDS DB instance backup should be enabled
- RDS DB instances should be configured to copy tags to snapshots
- RDS DB instances should have deletion protection enabled
- RDS DB instance encryption at rest should be enabled
- An RDS event notifications subscription should be configured for critical database instance events
- RDS DB instances should have iam authentication enabled
- Database logging should be enabled
- RDS DB instance multiple az should be enabled
- RDS DB instances should have performance insights enabled
- RDS DB instances should have performance insights encrypted with KMS CMK
- RDS DB instances should prohibit public access
- RDS DB instances should use recent CA certificates
- An RDS event notifications subscription should be configured for critical database parameter group events
- An RDS event notifications subscription should be configured for critical database security group events
- RDS DB snapshots should be encrypted with KMS CMK
- RDS DB snapshots should not be publicly accessible
- RDS Global Cluster (MySQl & PostgreSQL) should have encryption enabled
- RDS MySQL DB clusters should have audit logging enabled