Open menu
-->

AWS RDS Best Practices

AWS Relational Database Service (RDS) enables you to quickly and easily launch, configure, operate, and scale relational databases.



AWS Relational Database Service (RDS) enables you to quickly and easily launch, configure, operate, and scale relational databases. RDS provides a cost-effective and scalable capacity while eliminating the need for time-consuming database administration tasks. The following database engines are available in RDS:

  • Oracle
  • Microsoft SQL Server
  • Amazon Aurora
  • PostgreSQL
  • MySQL
  • MariaDB

Cloud Conformity checks Amazon Relational Database Service (Amazon RDS) service according to the following rules:

Aurora Database Instance Accessibility
Ensure that all database instances within an AWS Aurora cluster have the same accessibility.

AWS RDS Auto Minor Version Upgrade
Ensure AWS RDS instances have the Auto Minor Version Upgrade feature enabled.

Enable AWS RDS Automated Backups
Ensure AWS RDS instances have Automated Backups feature enabled.

Enable Amazon Aurora Backtrack
Ensure that Amazon Aurora MySQL database clusters have backtracking enabled.

Enable RDS Copy Tags to Snapshots
Ensure that Amazon RDS instances have Copy Tags to Snapshots feature enabled.

AWS RDS Instance Class Generation
Ensure AWS RDS instances are using the latest generation of instance classes for cost and performance improvements.

Enable Event Subscriptions for DB Security Groups Events
Ensure RDS event subscriptions are enabled for DB security groups.

Enable AWS RDS Deletion Protection
Ensure Deletion Protection feature is enabled for your AWS RDS database instances.

AWS RDS Desired Instance Type
Ensure fewer Amazon RDS instances than the established limit in your AWS account.

Enable AWS RDS Encryption
Ensure AWS RDS instances are encrypted to meet security and compliance requirements.

AWS RDS Free Storage Space
Identify RDS instances with low free storage space and scale them in order to optimize their performance.

Enable IAM Database Authentication
Ensure IAM Database Authentication feature is enabled for your AWS RDS MySQL and PostgreSQL database instances.

Total Number of Provisioned RDS Instances
Ensure fewer Amazon RDS instances than the established limit in your AWS account.

Idle AWS RDS Instances
Identify idle AWS RDS database instances and terminate them to optimize AWS costs.

Enable Event Subscriptions for Instance Level Events
Ensure RDS event subscriptions are enabled for instance level events.

Enable AWS RDS Log Exports
Ensure Log Exports feature is enabled for your AWS RDS MySQL, Aurora and MariaDB database instances.

AWS RDS Multi-AZ
Ensure AWS RDS instances have the Multi-AZ feature enabled.

Overutilized AWS RDS Instances
Identify overutilized RDS instances and upgrade them in order to optimize database workload and response time.

Enable AWS RDS Performance Insights
Ensure Performance Insights feature is enabled for your Amazon RDS database instances.

Publicly Accessible RDS Instances
Ensure RDS database instances are not publicly accessible and prone to security risks.

Use Data-Tier Security Group for RDS Databases
Ensure RDS database instances are configured to use the data-tier security group.

RDS Database Default Port
Ensure Amazon RDS database instances are not using the default ports.

Use AWS KMS Customer Master Keys for RDS encryption
Ensure RDS instances are encrypted with KMS CMKs in order to have full control over data encryption and decryption.

RDS General Purpose SSD Storage Type
Ensure RDS instances are using General Purpose SSD storage instead of Provisioned IOPS SSD storage to optimize the RDS service costs.

RDS Instance Not In Public Subnet
Ensure no RDS database instances are running within AWS VPC public subnets.

RDS Database Master Username
Ensure AWS RDS instances are using secure and unique master usernames for their databases.

Enable AWS RDS Event Notifications
Ensure event notifications are enabled for your Amazon Relational Database Service (RDS) resources.

Amazon RDS Public Snapshots
Ensure that your Amazon RDS database snapshots are not accessible to all AWS accounts.

AWS RDS Reserved Instances Failed Purchases
Ensure AWS RDS Reserved Instance purchases have not failed.

AWS RDS Reserved Instances Pending Purchases
Ensure Amazon RDS Reserved Instance purchases are not pending.

AWS RDS Reserved Instances Recent Purchases
Ensure RDS Reserved Instance purchases are regularly reviewed for cost optimization (informational).

AWS RDS Reserved Instances Purchase Recommendations
Upgrade RDS database instances to Reserved Instances (RIs) by following Cloud Conformity recommendations for purchasing RIs.

Unused RDS Reserved Instances
Ensure that your Amazon RDS Reserved Instances are being fully utilized.

RDS Reserved Instance Lease Expiration In The Next 30 Days
Ensure Amazon RDS Reserved Instances (RI) are renewed before expiration.

RDS Reserved Instance Lease Expiration In The Next 7 Days
Ensure Amazon RDS Reserved Instances (RI) are renewed before expiration.

AWS RDS Sufficient Backup Retention Period
Ensure AWS RDS instances have sufficient backup retention period for compliance purposes.

Enable AWS RDS Transport Encryption
Ensure AWS RDS SQL Server instances have Transport Encryption feature enabled.

Underutilized AWS RDS Instances
Identify underutilized RDS instances and downsize them in order to optimize your AWS costs.

Unrestricted AWS RDS DB Security Group
Ensure there aren’t any unrestricted DB security groups assigned to your RDS instances.