Amazon RDS Configuration Changes

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: RDS-036

Monitor AWS RDS configuration changes. Amazon Relational Database Service (RDS) is a managed relational database service that makes it easier to set up, operate, and scale a relational database in the AWS cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, security patching and backups, freeing you up to focus entirely on your cloud applications. RDS is available on several database instance types, optimized for memory, performance and I/O, and provides you with six familiar database engines to choose from, including Amazon Aurora, MySQL, MariaDB, PostgreSQL, Oracle and Microsoft SQL Server. Cloud Conformity RTMA feature monitors and detects each RDS configuration change made in your AWS account, such as creating a new database instance, updating settings for a database instance, deleting a previously provisioned database instance, deleting a database snapshot or even removing metadata tags from an RDS resource. The activity detected by this Cloud Conformity RTMA rule could be any root/IAM user request initiated through AWS Management Console or any AWS API call sent using the AWS Command Line Interface (CLI) or the AWS SDKs, that triggers any of the Amazon RDS service actions listed below:

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Real-Time Threat Monitoring

Security



"CreateDBCluster" - Creates a new Amazon Aurora database cluster.

"CreateDBClusterSnapshot" - Creates a snapshot of a database cluster. This action applies only to Aurora clusters.

"CreateDBInstance" - Creates a new RDS database instance.

"CreateDBSecurityGroup" - Creates a new database security group. A database security group controls access to EC2-Classic database instances that are not running within a VPC.

"CreateDBSnapshot" - Creates an Amazon RDS database snapshot.

"ModifyDBCluster" - Modifies configuration settings for an existing Amazon Aurora database cluster.

"ModifyDBInstance" - Modifies configuration settings for an existing RDS database instance.

"CopyDBClusterSnapshot" - Creates a snapshot of an Amazon Aurora database cluster.

"CopyDBSnapshot" - Copies the specified RDS database snapshot.

"DeleteDBCluster" - Deletes a previously provisioned database cluster. This action only applies to Amazon Aurora database clusters.

"DeleteDBClusterSnapshot" - Deletes an Amazon Aurora database cluster snapshot.

"DeleteDBInstance" - Deletes a previously provisioned RDS database instance.

"DeleteDBSecurityGroup" - Deletes a database security group.

"DeleteDBSnapshot" - Deletes an RDS database snapshot. If the snapshot is being copied, the copy operation is terminated.

"RestoreDBClusterFromSnapshot" - Creates a new database cluster from a database cluster snapshot. This action only applies to Aurora database clusters.

"RestoreDBClusterToPointInTime" - Restores an Amazon Aurora database cluster to an arbitrary point in time.

"RestoreDBInstanceFromDBSnapshot" - Creates a new RDS database instance from a database snapshot.

"RestoreDBInstanceToPointInTime" - Restores an RDS database instance to an arbitrary point in time.

"RemoveTagsFromResource" - Removes metadata tags from an RDS resource such as a database instance, a database snapshot or an Amazon Aurora cluster.

In order to adhere to cloud security best practices and implement the principle of least privilege (i.e. the practice of providing every user, process and system the minimal amount of access required to perform successfully their desired task), Cloud Conformity strongly recommends that you avoid as much as possible to provide your non-privileged and non-administrator IAM users the permission to change the Amazon RDS resources configuration within your AWS account. The communication channels required for sending RTMA notifications when configuration changes are performed, can be configured within your Cloud Conformity account. The list of supported communication channels that you can use to receive configuration change alerts for Amazon RDS resources are SMS, Email, Slack, PagerDuty, Zendesk and ServiceNow.

Rationale

According to Shared Responsibility Model, Amazon Web Services is responsible for protecting the infrastructure that runs the AWS RDS resources within the AWS cloud. In contrast, your responsibilities include, among others, the security of your RDS resources and their configuration, the protection of your data, your organization's requirements when it comes to RDS databases, and any applicable laws and regulations. Therefore, using Cloud Conformity RTM feature to detect Amazon Relational Database Service (RDS) configuration changes will help you quickly mitigate any accidental or intentional modifications that can lead to unauthorized access to your databases, unexpected costs on your AWS bill or other security issues (e.g. data loss) that can heavily impact your applications.

References

Publication date Mar 20, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Amazon RDS Configuration Changes

Risk level: High