From e5b86da6e50219130b2cfec62e361257ec6a16aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?= Date: Mon, 12 Jan 2026 13:52:29 +0100 Subject: [PATCH] chore(aws): enhance metadata for `rds` service (#9551) Co-authored-by: Daniel Barranquero --- prowler/CHANGELOG.md | 1 + ...ds_cluster_backtrack_enabled.metadata.json | 38 ++++++++++------ ...uster_copy_tags_to_snapshots.metadata.json | 30 ++++++++----- ..._critical_event_subscription.metadata.json | 39 +++++++++------- .../rds_cluster_default_admin.metadata.json | 34 +++++++++----- ..._cluster_deletion_protection.metadata.json | 38 ++++++++++------ ...r_iam_authentication_enabled.metadata.json | 38 ++++++++++------ ..._integration_cloudwatch_logs.metadata.json | 32 ++++++++----- ...inor_version_upgrade_enabled.metadata.json | 37 +++++++++------ .../rds_cluster_multi_az.metadata.json | 34 ++++++++------ ...rds_cluster_non_default_port.metadata.json | 29 +++++++----- ...ter_protected_by_backup_plan.metadata.json | 37 ++++++++------- ...ds_cluster_storage_encrypted.metadata.json | 38 ++++++++++------ .../rds_instance_backup_enabled.metadata.json | 36 +++++++++------ ...tance_certificate_expiration.metadata.json | 32 ++++++++----- ...tance_copy_tags_to_snapshots.metadata.json | 31 ++++++++----- ..._critical_event_subscription.metadata.json | 36 +++++++++------ .../rds_instance_default_admin.metadata.json | 33 +++++++++----- ...instance_deletion_protection.metadata.json | 34 +++++++++----- ...ce_deprecated_engine_version.metadata.json | 36 +++++++++------ ..._enhanced_monitoring_enabled.metadata.json | 35 +++++++++------ ...ubscription_parameter_groups.metadata.json | 39 +++++++++------- ...subscription_security_groups.metadata.json | 35 +++++++++------ ...e_iam_authentication_enabled.metadata.json | 37 +++++++++------ .../rds_instance_inside_vpc.metadata.json | 34 ++++++++------ ..._integration_cloudwatch_logs.metadata.json | 32 ++++++++----- ...inor_version_upgrade_enabled.metadata.json | 34 ++++++++------ .../rds_instance_multi_az.metadata.json | 32 +++++++------ ...ds_instance_no_public_access.metadata.json | 32 ++++++++----- ...ds_instance_non_default_port.metadata.json | 30 ++++++++----- ...nce_protected_by_backup_plan.metadata.json | 36 +++++++++------ ...s_instance_storage_encrypted.metadata.json | 45 +++++++++++++------ ...instance_transport_encrypted.metadata.json | 29 +++++++----- .../rds_snapshots_encrypted.metadata.json | 35 +++++++++------ .../rds_snapshots_public_access.metadata.json | 28 ++++++++---- 35 files changed, 738 insertions(+), 438 deletions(-) diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 32d1c36f69..9752f86cec 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -41,6 +41,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update AWS Transfer service metadata to new format [(#9434)](https://github.com/prowler-cloud/prowler/pull/9434) - Update AWS S3 service metadata to new format [(#9552)](https://github.com/prowler-cloud/prowler/pull/9552) - Update AWS DataSync service metadata to new format [(#8854)](https://github.com/prowler-cloud/prowler/pull/8854) +- Update AWS RDS service metadata to new format [(#9551)](https://github.com/prowler-cloud/prowler/pull/9551) --- diff --git a/prowler/providers/aws/services/rds/rds_cluster_backtrack_enabled/rds_cluster_backtrack_enabled.metadata.json b/prowler/providers/aws/services/rds/rds_cluster_backtrack_enabled/rds_cluster_backtrack_enabled.metadata.json index edcc73f639..438b51de95 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_backtrack_enabled/rds_cluster_backtrack_enabled.metadata.json +++ b/prowler/providers/aws/services/rds/rds_cluster_backtrack_enabled/rds_cluster_backtrack_enabled.metadata.json @@ -1,30 +1,40 @@ { "Provider": "aws", "CheckID": "rds_cluster_backtrack_enabled", - "CheckTitle": "Check if RDS Aurora MySQL Clusters have backtrack enabled.", - "CheckType": [], + "CheckTitle": "RDS Aurora MySQL cluster has Backtrack enabled", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster", - "Severity": "medium", + "ResourceIdTemplate": "", + "Severity": "low", "ResourceType": "AwsRdsDbCluster", "ResourceGroup": "database", - "Description": "Ensure that the Backtrack feature is enabled for your Amazon Aurora (with MySQL compatibility) database clusters in order to backtrack your clusters to a specific time, without using backups. Backtrack is an Amazon RDS feature that allows you to specify the amount of time that an Aurora MySQL database cluster needs to retain change records, in order to have a fast way to recover from user errors, such as dropping the wrong table or deleting the wrong row by moving your MySQL database to a prior point in time without the need to restore from a recent backup.", - "Risk": "Once the Backtrack feature is enabled, Amazon RDS can quickly 'rewind' your Aurora MySQL database cluster to a point in time that you specify. In contrast to the backup and restore method, with Backtrack you can easily undo a destructive action, such as a DELETE query without a WHERE clause, with minimal downtime, you can rewind your Aurora cluster in just few minutes, and you can repeatedly backtrack a database cluster back and forth in time to help determine when a particular data change occurred.", - "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-14", + "Description": "**Aurora MySQL DB clusters** have **Backtrack** configured with a non-zero `BacktrackWindow`, retaining change records to allow rewinding to a consistent earlier time. *Applies to `aurora-mysql` engines only.*", + "Risk": "Without **Backtrack**, destructive queries or admin mistakes can't be quickly undone, forcing snapshot/point-in-time restores. This increases recovery time, disrupts availability, and risks data **integrity** from partial restores or rollbacks.\n\nAdversaries who alter data can cause longer impact windows before containment.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/config/latest/developerguide/aurora-mysql-backtracking-enabled.html", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-14", + "https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Managing.Backtrack.html", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/backtrack.html#" + ], "Remediation": { "Code": { - "CLI": "aws rds restore-db-cluster-to-point-in-time --region --source-db-cluster-identifier --db-cluster-identifier --restore-type copy-on-write --use-latest-restorable-time --backtrack-window 86400", - "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/backtrack.html#", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/backtrack.html#", - "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/backtrack.html#" + "CLI": "aws rds restore-db-cluster-to-point-in-time --source-db-cluster-identifier --db-cluster-identifier --use-latest-restorable-time --backtrack-window 3600", + "NativeIaC": "```yaml\n# CloudFormation: Create Aurora MySQL cluster with Backtrack enabled\nResources:\n :\n Type: AWS::RDS::DBCluster\n Properties:\n Engine: aurora-mysql\n MasterUsername: \"\"\n MasterUserPassword: \"\"\n BacktrackWindow: 3600 # CRITICAL: Enables Backtrack (seconds) so the check passes\n```", + "Other": "1. In the AWS Console, go to RDS > Databases and select the Aurora MySQL cluster\n2. Click Actions > Restore to point in time\n3. Choose Use latest restorable time\n4. Set Backtrack window (seconds) to a value > 0 (e.g., 3600)\n5. Enter a new DB cluster identifier and click Restore DB cluster\n6. Cut over applications to the new cluster", + "Terraform": "```hcl\n# Terraform: Aurora MySQL cluster with Backtrack enabled\nresource \"aws_rds_cluster\" \"\" {\n engine = \"aurora-mysql\"\n master_username = \"\"\n master_password = \"\"\n backtrack_window = 3600 # CRITICAL: Enables Backtrack (seconds) so the check passes\n}\n```" }, "Recommendation": { - "Text": "Backups help you to recover more quickly from a security incident. They also strengthens the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to do so. You cannot enable backtracking on an existing cluster. Instead, you can create a clone that has backtracking enabled.", - "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-14" + "Text": "Enable **Backtrack** on Aurora MySQL clusters and set `BacktrackWindow` to meet RTO while balancing cost and workload. Use it with automated backups for **defense in depth** and resilience.\n\n*For clusters without Backtrack*, provision a clone or new cluster with it enabled; monitor usage and adjust the window as change rates evolve.", + "Url": "https://hub.prowler.com/check/rds_cluster_backtrack_enabled" } }, - "Categories": [], + "Categories": [ + "resilience" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_cluster_copy_tags_to_snapshots/rds_cluster_copy_tags_to_snapshots.metadata.json b/prowler/providers/aws/services/rds/rds_cluster_copy_tags_to_snapshots/rds_cluster_copy_tags_to_snapshots.metadata.json index ad43624e4d..63838f4938 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_copy_tags_to_snapshots/rds_cluster_copy_tags_to_snapshots.metadata.json +++ b/prowler/providers/aws/services/rds/rds_cluster_copy_tags_to_snapshots/rds_cluster_copy_tags_to_snapshots.metadata.json @@ -1,27 +1,33 @@ { "Provider": "aws", "CheckID": "rds_cluster_copy_tags_to_snapshots", - "CheckTitle": "Check if RDS DB clusters have copy tags to snapshots enabled", - "CheckType": [], + "CheckTitle": "RDS DB cluster has copy tags to snapshots enabled", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster", + "ResourceIdTemplate": "", "Severity": "low", "ResourceType": "AwsRdsDbCluster", "ResourceGroup": "database", - "Description": "Check if RDS DB clusters have copy tags to snapshots enabled, Aurora instances do not support this feature at instance level so those who are clustered will be scan by this check.", - "Risk": "If RDS clusters are not configured to copy tags to snapshots, it could lead to compliance issues as the snapshots will not inherit necessary metadata such as environment, owner, or purpose tags. This could result in inefficient tracking and management of RDS resources and their snapshots.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html#USER_Tagging.CopyTags", + "Description": "**RDS DB clusters** are evaluated for the `CopyTagsToSnapshot` setting that propagates cluster tags to their DB snapshots.\n\n*Aurora tagging is configured at the cluster level; instance-level copying isn't supported.*", + "Risk": "**Missing tag propagation** leaves snapshots without consistent metadata, weakening **ABAC**, ownership tracking, and retention controls. This can allow overly broad access to backups, hinder incident scoping, and inflate costs-impacting **confidentiality** and operational governance.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-16", + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html#USER_Tagging.CopyTags" + ], "Remediation": { "Code": { - "CLI": "aws rds modify-db-cluster --db-cluster-identifier --copy-tags-to-snapshot", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-16", - "Terraform": "" + "CLI": "aws rds modify-db-cluster --db-cluster-identifier --copy-tags-to-snapshot", + "NativeIaC": "```yaml\n# CloudFormation: enable copying tags to snapshots on an RDS DB cluster\nResources:\n :\n Type: AWS::RDS::DBCluster\n Properties:\n CopyTagsToSnapshot: true # CRITICAL: ensures cluster tags are copied to snapshots\n```", + "Other": "1. In the AWS Console, go to RDS > Databases\n2. Select the DB cluster and choose Modify\n3. Check Copy tags to snapshots\n4. Click Continue, then Apply changes", + "Terraform": "```hcl\n# Terraform: enable copying tags to snapshots on an RDS DB cluster\nresource \"aws_rds_cluster\" \"\" {\n copy_tags_to_snapshot = true # CRITICAL: ensures cluster tags are copied to snapshots\n}\n```" }, "Recommendation": { - "Text": "Ensure that the `CopyTagsToSnapshot` setting is enabled for all RDS clusters to propagate cluster tags to their snapshots for improved tracking and compliance.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html#USER_Tagging.CopyTags" + "Text": "Enable `CopyTagsToSnapshot` on all applicable **RDS/Aurora clusters**.\n- Standardize required tags (owner, environment, data class)\n- Use **least privilege** and **ABAC** based on tags\n- Automate tagging and periodic audits so snapshots inherit metadata and lifecycle policies", + "Url": "https://hub.prowler.com/check/rds_cluster_copy_tags_to_snapshots" } }, "Categories": [], diff --git a/prowler/providers/aws/services/rds/rds_cluster_critical_event_subscription/rds_cluster_critical_event_subscription.metadata.json b/prowler/providers/aws/services/rds/rds_cluster_critical_event_subscription/rds_cluster_critical_event_subscription.metadata.json index d41b20eab0..f0b819df1a 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_critical_event_subscription/rds_cluster_critical_event_subscription.metadata.json +++ b/prowler/providers/aws/services/rds/rds_cluster_critical_event_subscription/rds_cluster_critical_event_subscription.metadata.json @@ -1,32 +1,39 @@ { "Provider": "aws", "CheckID": "rds_cluster_critical_event_subscription", - "CheckTitle": "Check if RDS Cluster critical events are subscribed.", + "CheckTitle": "RDS cluster event subscription is enabled for maintenance and failure categories", "CheckType": [ - "Software and Configuration Checks, AWS Security Best Practices" + "Software and Configuration Checks/AWS Security Best Practices" ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:account", - "Severity": "low", - "ResourceType": "AwsAccount", - "ResourceGroup": "governance", - "Description": "Ensure that Amazon RDS event notification subscriptions are enabled for database cluster events, particularly maintenance and failure.", - "Risk": "Without event subscriptions for critical events, such as maintenance and failures, you may not be aware of issues affecting your RDS clusters, leading to downtime or security vulnerabilities.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.html", + "ResourceIdTemplate": "", + "Severity": "medium", + "ResourceType": "AwsRdsEventSubscription", + "ResourceGroup": "database", + "Description": "**RDS event subscriptions** for the `db-cluster` source type are enabled and cover critical cluster event categories: **`maintenance`** and **`failure`** (or all cluster events).", + "Risk": "Without notifications for **cluster maintenance** and **failure**, teams may miss engine updates, failovers, or node crashes, impacting **availability** and increasing MTTR. Prolonged degraded states can cause replication lag and potential **data integrity** issues, hindering timely containment.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.Subscribing.html", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-19" + ], "Remediation": { "Code": { - "CLI": "aws rds create-event-subscription --source-type db-cluster --event-categories 'failure' 'maintenance' --sns-topic-arn ", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-19", - "Terraform": "" + "CLI": "aws rds create-event-subscription --subscription-name --sns-topic-arn --source-type db-cluster --event-categories maintenance failure --enabled", + "NativeIaC": "```yaml\nResources:\n :\n Type: AWS::RDS::EventSubscription\n Properties:\n SnsTopicArn: # Critical: SNS topic to receive notifications\n SourceType: db-cluster # Critical: Scope to DB clusters\n EventCategories: # Critical: Subscribe to required categories only\n - maintenance\n - failure\n Enabled: true # Critical: Must be enabled to pass\n```", + "Other": "1. In the AWS Console, go to RDS > Event subscriptions > Create event subscription\n2. Name: enter \n3. Send notifications to: Choose existing Amazon SNS ARN and select \n4. Source type: select Clusters\n5. Event categories: select only Maintenance and Failure (unselect others)\n6. Ensure Enabled is on\n7. Click Create", + "Terraform": "```hcl\nresource \"aws_db_event_subscription\" \"\" {\n name = \"\"\n sns_topic = \"\" # Critical: SNS topic ARN\n source_type = \"db-cluster\" # Critical: Scope to clusters\n event_categories = [\"maintenance\", \"failure\"] # Critical: Required categories\n enabled = true # Critical: Must be enabled\n}\n```" }, "Recommendation": { - "Text": "To subscribe to RDS cluster event notifications, see Subscribing to Amazon RDS event notification in the Amazon RDS User Guide.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.Subscribing.html" + "Text": "Enable **event subscriptions** for RDS clusters that include `maintenance` and `failure`, delivered via **SNS** to monitored channels.\n- Enforce **least privilege** on topics\n- Separate topics per environment\n- Integrate with on-call/IR playbooks and test alerts\n- Add multiple recipients and escalation for **defense in depth**", + "Url": "https://hub.prowler.com/check/rds_cluster_critical_event_subscription" } }, - "Categories": [], + "Categories": [ + "logging" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_cluster_default_admin/rds_cluster_default_admin.metadata.json b/prowler/providers/aws/services/rds/rds_cluster_default_admin/rds_cluster_default_admin.metadata.json index c01afd054a..b3a7075636 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_default_admin/rds_cluster_default_admin.metadata.json +++ b/prowler/providers/aws/services/rds/rds_cluster_default_admin/rds_cluster_default_admin.metadata.json @@ -1,30 +1,40 @@ { "Provider": "aws", "CheckID": "rds_cluster_default_admin", - "CheckTitle": "Ensure that your Amazon RDS clusters are not using the default master username.", - "CheckType": [], + "CheckTitle": "RDS cluster master username is not admin or postgres", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "TTPs/Initial Access", + "TTPs/Credential Access" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsRdsDbCluster", "ResourceGroup": "database", - "Description": "Ensure that your Amazon RDS clusters are not using the default master username.", - "Risk": "Since admin is the Amazon's example for the RDS database master username and postgres is the default PostgreSQL master username. Many AWS customers will use this username for their RDS database instances in production. Malicious users can use this information to their advantage and frequently try to use default master username during brute-force attacks.", - "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-24", + "Description": "RDS DB clusters are evaluated for use of a **custom administrator username**, flagging clusters that use defaults such as `admin` or `postgres`.", + "Risk": "Using a well-known admin username simplifies **credential stuffing** and **brute-force** attempts. Attackers can focus on password guessing, increasing chances of compromise. A successful login enables data theft (**confidentiality**), unauthorized changes (**integrity**), and destructive operations or outages (**availability**).", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-master-username.html#", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-24" + ], "Remediation": { "Code": { "CLI": "", - "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-master-username.html#", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-master-username.html#", - "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-master-username.html#" + "NativeIaC": "```yaml\n# Create an RDS DB cluster with a custom admin username\nResources:\n :\n Type: AWS::RDS::DBCluster\n Properties:\n Engine: aurora-mysql\n MasterUsername: # CRITICAL: use a non-default username (not \"admin\" or \"postgres\")\n MasterUserPassword: \n```", + "Other": "1. In the AWS console, go to RDS > Databases > Create database\n2. Choose Amazon Aurora and the same engine family as your current cluster\n3. Under Settings, set Master username to a custom value that is not \"admin\" or \"postgres\" (CRITICAL)\n4. Create the new cluster, migrate your workload to it, update application connections, then delete the old cluster", + "Terraform": "```hcl\n# Create an RDS DB cluster with a custom admin username\nresource \"aws_rds_cluster\" \"\" {\n cluster_identifier = \"\"\n engine = \"aurora-mysql\"\n master_username = \"\" # CRITICAL: non-default username (not admin/postgres)\n master_password = \"\"\n}\n```" }, "Recommendation": { - "Text": "To change the master username configured for your Amazon RDS database clusters you must re-create them and migrate the existing data.", - "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-24" + "Text": "Create databases with a **unique, non-default admin username** that doesn't reveal environment or org. Apply **least privilege** by using separate, non-admin accounts for applications. Prefer **IAM database authentication** and manage secrets centrally with rotation. Restrict admin access and monitor login attempts.", + "Url": "https://hub.prowler.com/check/rds_cluster_default_admin" } }, - "Categories": [], + "Categories": [ + "identity-access" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_cluster_deletion_protection/rds_cluster_deletion_protection.metadata.json b/prowler/providers/aws/services/rds/rds_cluster_deletion_protection/rds_cluster_deletion_protection.metadata.json index c5516f84a5..b82b1cdd75 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_deletion_protection/rds_cluster_deletion_protection.metadata.json +++ b/prowler/providers/aws/services/rds/rds_cluster_deletion_protection/rds_cluster_deletion_protection.metadata.json @@ -1,30 +1,40 @@ { "Provider": "aws", "CheckID": "rds_cluster_deletion_protection", - "CheckTitle": "Check if RDS clusters have deletion protection enabled.", - "CheckType": [], + "CheckTitle": "RDS cluster has deletion protection enabled", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", + "Effects/Data Destruction" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster", - "Severity": "low", + "ResourceIdTemplate": "", + "Severity": "medium", "ResourceType": "AwsRdsDbCluster", "ResourceGroup": "database", - "Description": "Check if RDS clusters have deletion protection enabled.", - "Risk": "You can only delete clusters that do not have deletion protection enabled.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html", + "Description": "**RDS DB clusters** have **deletion protection** enabled (`deletion_protection=true`).", + "Risk": "Without **deletion protection**, a cluster can be removed by error or misuse, causing sudden **availability** loss and potential **data loss** if backups are outdated. Compromised identities or faulty automation can trigger destructive deletes, degrading **recoverability** and data **integrity**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-7" + ], "Remediation": { "Code": { - "CLI": "aws rds modify-db-cluster --db-cluster-identifier --deletion-protection --apply-immediately", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-7", - "Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled#terraform" + "CLI": "aws rds modify-db-cluster --db-cluster-identifier --deletion-protection", + "NativeIaC": "```yaml\n# CloudFormation: Enable deletion protection on an RDS DB Cluster\nResources:\n :\n Type: AWS::RDS::DBCluster\n Properties:\n Engine: aurora-mysql\n DeletionProtection: true # Critical: prevents cluster deletion and passes the check\n```", + "Other": "1. In the AWS Console, go to RDS > Databases\n2. Select the DB cluster (type: DB cluster)\n3. Click Modify\n4. Enable Deletion protection\n5. Choose Apply immediately and click Modify cluster", + "Terraform": "```hcl\n# Enable deletion protection on an existing RDS DB Cluster\nresource \"aws_rds_cluster\" \"\" {\n deletion_protection = true # Critical: prevents cluster deletion and passes the check\n}\n```" }, "Recommendation": { - "Text": "Enable deletion protection using the AWS Management Console for production DB clusters.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html" + "Text": "Enable **deletion protection** (`deletion_protection=true`) on production and other critical clusters. Enforce via IaC and organizational guardrails; apply **least privilege** to delete/modify actions; require **change control** and approvals. Maintain reliable **backups** to restore when protection must be lifted.", + "Url": "https://hub.prowler.com/check/rds_cluster_deletion_protection" } }, - "Categories": [], + "Categories": [ + "resilience" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_cluster_iam_authentication_enabled/rds_cluster_iam_authentication_enabled.metadata.json b/prowler/providers/aws/services/rds/rds_cluster_iam_authentication_enabled/rds_cluster_iam_authentication_enabled.metadata.json index 163e831e38..090d62173a 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_iam_authentication_enabled/rds_cluster_iam_authentication_enabled.metadata.json +++ b/prowler/providers/aws/services/rds/rds_cluster_iam_authentication_enabled/rds_cluster_iam_authentication_enabled.metadata.json @@ -1,30 +1,42 @@ { "Provider": "aws", "CheckID": "rds_cluster_iam_authentication_enabled", - "CheckTitle": "Check if RDS clusters have IAM authentication enabled.", - "CheckType": [], + "CheckTitle": "RDS cluster has IAM authentication enabled", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", + "TTPs/Credential Access" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsRdsDbCluster", "ResourceGroup": "database", - "Description": "Check if RDS clusters have IAM authentication enabled.", - "Risk": "Ensure that the IAM Database Authentication feature is enabled for your RDS database clusters in order to use the Identity and Access Management (IAM) service to manage database access to your MySQL and PostgreSQL database clusters. With this feature enabled, you don't have to use a password when you connect to your MySQL/PostgreSQL database, instead you can use an authentication token. An authentication token is a unique string of characters with a lifetime of 15 minutes that Amazon RDS generates on your request. IAM Database Authentication removes the need of storing user credentials within the database configuration, because authentication is managed externally using Amazon IAM.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Enabling.html", + "Description": "**RDS DB clusters** on supported engines (MySQL/MariaDB/PostgreSQL/Aurora) have **IAM database authentication** enabled for database logins, indicating token-based access managed by IAM instead of static passwords.", + "Risk": "Without **IAM DB authentication**, databases depend on long-lived passwords. Stolen or reused creds can enable unauthorized connections, data exfiltration, and tampering, harming **confidentiality** and **integrity**. Lacking short-lived tokens and centralized revocation expands blast radius and weakens **access control**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Enabling.html", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/iam-database-authentication.html#", + "https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.Enabling.html", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-12" + ], "Remediation": { "Code": { - "CLI": "aws rds modify-db-instance --region --db-instance-identifier --enable-iam-database-authentication --apply-immediately", - "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/iam-database-authentication.html#", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-12", - "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/iam-database-authentication.html#" + "CLI": "aws rds modify-db-cluster --db-cluster-identifier --enable-iam-database-authentication --apply-immediately", + "NativeIaC": "```yaml\n# CloudFormation: Enable IAM authentication on an existing RDS/Aurora DB Cluster\nResources:\n :\n Type: AWS::RDS::DBCluster\n Properties:\n EnableIAMDatabaseAuthentication: true # Critical: turns on IAM DB auth for the cluster\n```", + "Other": "1. In the AWS Console, go to RDS > Databases\n2. Select the DB Cluster (not the instances)\n3. Click Modify\n4. In Database authentication, enable IAM database authentication\n5. Choose Apply immediately and click Modify cluster", + "Terraform": "```hcl\n# Enable IAM authentication on an existing RDS/Aurora cluster\nresource \"aws_rds_cluster\" \"\" {\n cluster_identifier = \"\"\n iam_database_authentication_enabled = true # Critical: enables IAM DB auth so the check passes\n}\n```" }, "Recommendation": { - "Text": "Enable IAM authentication for supported RDS clusters.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Enabling.html" + "Text": "Enable **IAM database authentication** on supported clusters and enforce **least privilege**. Grant only necessary `rds-db:connect` permissions to specific principals, prefer role-based access for workloads to obtain short-lived tokens, require **TLS**, and deprecate static DB passwords. Pair with auditing and segmentation for **defense in depth**.", + "Url": "https://hub.prowler.com/check/rds_cluster_iam_authentication_enabled" } }, - "Categories": [], + "Categories": [ + "identity-access" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_cluster_integration_cloudwatch_logs/rds_cluster_integration_cloudwatch_logs.metadata.json b/prowler/providers/aws/services/rds/rds_cluster_integration_cloudwatch_logs/rds_cluster_integration_cloudwatch_logs.metadata.json index 803989cb30..c6acca9336 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_integration_cloudwatch_logs/rds_cluster_integration_cloudwatch_logs.metadata.json +++ b/prowler/providers/aws/services/rds/rds_cluster_integration_cloudwatch_logs/rds_cluster_integration_cloudwatch_logs.metadata.json @@ -1,27 +1,35 @@ { "Provider": "aws", "CheckID": "rds_cluster_integration_cloudwatch_logs", - "CheckTitle": "Check if RDS cluster is integrated with CloudWatch Logs.", - "CheckType": [], + "CheckTitle": "RDS cluster has CloudWatch Logs export enabled", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsRdsDbCluster", "ResourceGroup": "database", - "Description": "Check if RDS cluster is integrated with CloudWatch Logs. The types valid are Aurora MySQL, Aurora PostgreSQL, MySQL, PostgreSQL.", - "Risk": "If logs are not enabled, monitoring of service use and threat analysis is not possible.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_LogAccess.html", + "Description": "**RDS clusters** running Aurora MySQL, Aurora PostgreSQL, MySQL, or PostgreSQL are assessed for **CloudWatch Logs publishing**, confirming that database logs are exported to a CloudWatch Logs group.", + "Risk": "Without publishing to CloudWatch, database events lack centralized visibility and retention.\nBrute-force, SQL injection, or privilege misuse may go undetected, hindering forensics and response, risking data confidentiality and integrity and delaying recovery.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/publishing_cloudwatchlogs.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_LogAccess.html", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-34" + ], "Remediation": { "Code": { - "CLI": "aws rds modify-db-cluster --db-cluster-identifier --cloudwatch-logs-export-configuration {'EnableLogTypes':['audit',error','general','slowquery']} --apply-immediately", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-34", - "Terraform": "" + "CLI": "aws rds modify-db-cluster --db-cluster-identifier --cloudwatch-logs-export-configuration '{\"EnableLogTypes\":[\"\"]}' --apply-immediately", + "NativeIaC": "```yaml\n# CloudFormation: Enable CloudWatch Logs export for an RDS/Aurora DB cluster\nResources:\n :\n Type: AWS::RDS::DBCluster\n Properties:\n Engine: \n MasterUsername: \n MasterUserPassword: \n EnableCloudwatchLogsExports:\n - # CRITICAL: Enables at least one supported log type (e.g., 'error' for MySQL or 'postgresql' for PostgreSQL) to pass the check\n```", + "Other": "1. In the AWS Console, go to RDS > Databases\n2. Select your DB cluster and choose Modify\n3. Under Log exports, check at least one supported log type for your engine (e.g., error/general/slowquery/audit for MySQL, postgresql for PostgreSQL)\n4. Choose Continue, then Apply immediately, and click Modify cluster", + "Terraform": "```hcl\n# Terraform: Enable CloudWatch Logs export for an RDS/Aurora DB cluster\nresource \"aws_rds_cluster\" \"\" {\n engine = \"\"\n master_username = \"\"\n master_password = \"\"\n\n enabled_cloudwatch_logs_exports = [\n \"\" # CRITICAL: Enables at least one supported log type (e.g., \"error\" for MySQL or \"postgresql\" for PostgreSQL) to pass the check\n ]\n}\n```" }, "Recommendation": { - "Text": "Use CloudWatch Logs to perform real-time analysis of the log data. Create alarms and view metrics.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/publishing_cloudwatchlogs.html" + "Text": "Publish RDS/Aurora logs to **CloudWatch Logs** and centralize analysis.\nSelect appropriate types (e.g., `error`, `general`, `slowquery`, `audit`), define retention, and create alarms. Limit log access with **least privilege** and integrate with SIEM for defense-in-depth monitoring.", + "Url": "https://hub.prowler.com/check/rds_cluster_integration_cloudwatch_logs" } }, "Categories": [ diff --git a/prowler/providers/aws/services/rds/rds_cluster_minor_version_upgrade_enabled/rds_cluster_minor_version_upgrade_enabled.metadata.json b/prowler/providers/aws/services/rds/rds_cluster_minor_version_upgrade_enabled/rds_cluster_minor_version_upgrade_enabled.metadata.json index 08882bf0b9..87df083f42 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_minor_version_upgrade_enabled/rds_cluster_minor_version_upgrade_enabled.metadata.json +++ b/prowler/providers/aws/services/rds/rds_cluster_minor_version_upgrade_enabled/rds_cluster_minor_version_upgrade_enabled.metadata.json @@ -1,30 +1,41 @@ { "Provider": "aws", "CheckID": "rds_cluster_minor_version_upgrade_enabled", - "CheckTitle": "Ensure RDS clusters have minor version upgrade enabled.", - "CheckType": [], + "CheckTitle": "RDS cluster has automatic minor version upgrades enabled", + "CheckType": [ + "Software and Configuration Checks/Patch Management", + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsRdsDbCluster", "ResourceGroup": "database", - "Description": "Ensure RDS clusters have minor version upgrade enabled.", - "Risk": "Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs and therefore should be applied.", - "RelatedUrl": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/", + "Description": "**RDS Multi-AZ DB clusters** are configured for **automatic minor engine upgrades** via `auto_minor_version_upgrade`.\n\nThe evaluation checks these clusters to see if this setting is enabled so preferred minor releases are applied during the maintenance window.", + "Risk": "Without automatic minor upgrades, clusters can miss **security patches**, enabling exploitation of known flaws (confidentiality). Unfixed defects may corrupt data (**integrity**) or trigger crashes and failovers (**availability**). Emergency patching raises downtime and operational risk.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/modify-multi-az-db-cluster.html", + "https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/RDS/Types/CreateDBClusterMessage.html", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-35" + ], "Remediation": { "Code": { - "CLI": "aws rds modify-db-cluster --db-cluster-identifier --auto-minor-version-upgrade --apply-immediately", - "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically#cloudformation", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-35", - "Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically#terraform" + "CLI": "aws rds modify-db-cluster --db-cluster-identifier --auto-minor-version-upgrade", + "NativeIaC": "```yaml\n# CloudFormation snippet to enable automatic minor version upgrades on an RDS DB cluster\nResources:\n :\n Type: AWS::RDS::DBCluster\n Properties:\n AutoMinorVersionUpgrade: true # Critical: enables automatic minor engine version upgrades to pass the check\n```", + "Other": "1. In the AWS Console, go to RDS > Databases\n2. Select your Multi-AZ DB cluster\n3. Click Modify\n4. Set Auto minor version upgrade to Enabled\n5. Click Continue, then Modify cluster", + "Terraform": "```hcl\n# Terraform snippet to enable automatic minor version upgrades on an RDS DB cluster\nresource \"aws_rds_cluster\" \"\" {\n cluster_identifier = \"\"\n auto_minor_version_upgrade = true # Critical: enables automatic minor engine version upgrades to pass the check\n}\n```" }, "Recommendation": { - "Text": "Enable auto minor version upgrade for all databases and environments.", - "Url": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/" + "Text": "Enable `auto_minor_version_upgrade` on **RDS Multi-AZ clusters** and align updates with approved maintenance windows. Validate changes in non-production, and document any exceptions with a strict manual patch cadence. This strengthens **defense in depth** and improves **availability**.", + "Url": "https://hub.prowler.com/check/rds_cluster_minor_version_upgrade_enabled" } }, - "Categories": [], + "Categories": [ + "vulnerabilities" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_cluster_multi_az/rds_cluster_multi_az.metadata.json b/prowler/providers/aws/services/rds/rds_cluster_multi_az/rds_cluster_multi_az.metadata.json index 4a2c41c0de..78a4e0c0cd 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_multi_az/rds_cluster_multi_az.metadata.json +++ b/prowler/providers/aws/services/rds/rds_cluster_multi_az/rds_cluster_multi_az.metadata.json @@ -1,31 +1,39 @@ { "Provider": "aws", "CheckID": "rds_cluster_multi_az", - "CheckTitle": "Check if RDS clusters have multi-AZ enabled.", - "CheckType": [], + "CheckTitle": "RDS cluster has Multi-AZ enabled", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Industry and Regulatory Standards/AWS Foundational Security Best Practices" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsRdsDbCluster", "ResourceGroup": "database", - "Description": "Check if RDS clusters have multi-AZ enabled.", - "Risk": "In case of failure, with a single-AZ deployment configuration, should an availability zone specific database failure occur, Amazon RDS can not automatically fail over to the standby availability zone.", - "RelatedUrl": "https://aws.amazon.com/rds/features/multi-az/", + "Description": "**RDS DB clusters** are assessed for deployment across **multiple Availability Zones** (*Multi-AZ*), verifying that redundant instances exist to support **automatic failover** instead of a single-AZ configuration.", + "Risk": "A **single-AZ cluster** is a single point of failure. AZ outages, instance/storage faults, or maintenance can cause extended **downtime**, failed transactions, and worse **RTO/RPO**. Without cross-AZ replicas, recovery may require restores, increasing outage duration and risking service disruption and data consistency impacts.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-15", + "https://docs.amazonaws.cn/en_us/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html", + "https://aws.amazon.com/rds/features/multi-az/" + ], "Remediation": { "Code": { - "CLI": "aws rds create-db-cluster --db-cluster-identifier --multi-az true", - "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/general_73#cloudformation", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-15", - "Terraform": "https://docs.prowler.com/checks/aws/general-policies/general_73#terraform" + "CLI": "", + "NativeIaC": "```yaml\n# CloudFormation: create an RDS Multi-AZ DB cluster (non-Aurora)\nResources:\n :\n Type: AWS::RDS::DBCluster\n Properties:\n Engine: mysql # CRITICAL: using mysql/postgres with the properties below creates a Multi-AZ DB cluster\n DBClusterInstanceClass: db.r6g.large # CRITICAL: required to make it a Multi-AZ DB cluster (creates 1 writer + 2 readers across AZs)\n AllocatedStorage: 100 # CRITICAL: required for Multi-AZ DB clusters\n Iops: 1000 # CRITICAL: required for Multi-AZ DB clusters\n StorageType: io1 # CRITICAL: required for Multi-AZ DB clusters\n MasterUsername: \n MasterUserPassword: \n```", + "Other": "1. In the AWS console, go to RDS > Databases > Create database\n2. Engine: select MySQL or PostgreSQL\n3. Under Availability and durability, select Multi-AZ DB cluster\n4. Enter DB cluster identifier and master credentials\n5. Choose a DB instance class and create the database\n6. Migrate data to this new Multi-AZ DB cluster and switch your applications to its endpoint", + "Terraform": "```hcl\n# Terraform: create an RDS Multi-AZ DB cluster (non-Aurora)\nresource \"aws_rds_cluster\" \"\" {\n cluster_identifier = \"\"\n engine = \"mysql\" # CRITICAL: mysql/postgres with the lines below creates a Multi-AZ DB cluster\n db_cluster_instance_class = \"db.r6g.large\" # CRITICAL: makes this a Multi-AZ DB cluster (1 writer + 2 readers across AZs)\n storage_type = \"io1\" # CRITICAL: required for Multi-AZ DB clusters\n allocated_storage = 100 # CRITICAL: required for Multi-AZ DB clusters\n iops = 1000 # CRITICAL: required for Multi-AZ DB clusters\n master_username = \"\"\n master_password = \"\"\n}\n```" }, "Recommendation": { - "Text": "Enable multi-AZ deployment for production databases.", - "Url": "https://aws.amazon.com/rds/features/multi-az/" + "Text": "Enable **Multi-AZ** for production DB clusters to ensure cross-AZ redundancy and **automatic failover**. Choose a model that meets your SLA (one standby or two readable standbys; Aurora spans 3 AZs). Place subnets in distinct AZs, implement connection retries, and regularly test failover to validate **RTO/RPO** and readiness.", + "Url": "https://hub.prowler.com/check/rds_cluster_multi_az" } }, "Categories": [ - "redundancy" + "resilience" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/aws/services/rds/rds_cluster_non_default_port/rds_cluster_non_default_port.metadata.json b/prowler/providers/aws/services/rds/rds_cluster_non_default_port/rds_cluster_non_default_port.metadata.json index 2eea7fd1c9..824cde1e6f 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_non_default_port/rds_cluster_non_default_port.metadata.json +++ b/prowler/providers/aws/services/rds/rds_cluster_non_default_port/rds_cluster_non_default_port.metadata.json @@ -1,29 +1,34 @@ { "Provider": "aws", "CheckID": "rds_cluster_non_default_port", - "CheckTitle": "Check if RDS clusters are using non-default ports.", + "CheckTitle": "RDS cluster uses a non-default port for its database engine", "CheckType": [ - "Software and Configuration Checks/AWS Security Best Practices" + "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", + "TTPs/Discovery" ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:cluster:db-cluster", + "ResourceIdTemplate": "", "Severity": "low", "ResourceType": "AwsRdsDbCluster", "ResourceGroup": "database", - "Description": "Checks if an cluster uses a port other than the default port of the database engine. The control fails if the RDS cluster uses the default port.", - "Risk": "Using a default database port exposes the cluster to potential security vulnerabilities, as attackers are more likely to target known, commonly-used ports. This may result in unauthorized access to the database or increased susceptibility to automated attacks.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html", + "Description": "**RDS DB clusters** are assessed for use of a **non-default database port**.\n\nEvaluation focuses on whether the cluster listens on the engine's well-known default port (e.g., `3306`, `5432`, `1433`, `1521`, `50000`) or on a custom port.", + "Risk": "Using a **default DB port** eases discovery via mass scans and banner-grabbing, enabling:\n- Engine-specific exploit attempts\n- Brute-force/credential-stuffing of logins\n- Targeted DDoS on the service\n\nImpacts: **confidentiality** (unauthorized reads), **integrity** (data changes), **availability** (service disruption).", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-23" + ], "Remediation": { "Code": { - "CLI": "aws rds modify-db-cluster --db-cluster-identifier --port ", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-23", - "Terraform": "" + "CLI": "aws rds modify-db-cluster --db-cluster-identifier --port --apply-immediately", + "NativeIaC": "```yaml\n# CloudFormation: Set a non-default port on an RDS/Aurora DB cluster\nResources:\n :\n Type: AWS::RDS::DBCluster\n Properties:\n Engine: \n MasterUsername: \n MasterUserPassword: \n Port: # Critical: change to a non-default engine port to pass the check\n```", + "Other": "1. In the AWS Console, go to RDS > Databases\n2. Select your DB cluster (not an individual instance)\n3. Click Modify\n4. Set Database port to a non-default value for the engine\n5. Check Apply immediately\n6. Click Continue, then Modify cluster", + "Terraform": "```hcl\n# Terraform: Set a non-default port on an RDS/Aurora DB cluster\nresource \"aws_rds_cluster\" \"\" {\n engine = \"\"\n master_username = \"\"\n master_password = \"\"\n port = # Critical: use a non-default engine port to pass the check\n}\n```" }, "Recommendation": { - "Text": "Modify the RDS cluster to use a non-default port, and ensure that the security group permits access to the new port.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html" + "Text": "Use a **non-default port** and enforce **least-privilege** network access:\n- Allow only approved sources\n- Keep databases in private subnets\n- Require TLS and strong, centralized auth\n- Monitor failed connections\n\nUpdate application connection strings to the new `port` as part of defense-in-depth.", + "Url": "https://hub.prowler.com/check/rds_cluster_non_default_port" } }, "Categories": [], diff --git a/prowler/providers/aws/services/rds/rds_cluster_protected_by_backup_plan/rds_cluster_protected_by_backup_plan.metadata.json b/prowler/providers/aws/services/rds/rds_cluster_protected_by_backup_plan/rds_cluster_protected_by_backup_plan.metadata.json index 39b4a84294..46429ed196 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_protected_by_backup_plan/rds_cluster_protected_by_backup_plan.metadata.json +++ b/prowler/providers/aws/services/rds/rds_cluster_protected_by_backup_plan/rds_cluster_protected_by_backup_plan.metadata.json @@ -1,32 +1,39 @@ { "Provider": "aws", "CheckID": "rds_cluster_protected_by_backup_plan", - "CheckTitle": "Check if RDS clusters are protected by a backup plan.", + "CheckTitle": "RDS cluster is protected by an AWS Backup plan", "CheckType": [ - "Software and Configuration Checks, AWS Security Best Practices" + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster", - "Severity": "medium", - "ResourceType": "AwsRdsDbInstance", + "ResourceIdTemplate": "", + "Severity": "high", + "ResourceType": "AwsRdsDbCluster", "ResourceGroup": "database", - "Description": "Check if RDS clusters are protected by a backup plan.", - "Risk": "Without a backup plan, RDS clusters are vulnerable to data loss, accidental deletion, or corruption. This could lead to significant operational disruptions or loss of critical data.", - "RelatedUrl": "https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html", + "Description": "**RDS DB clusters** are covered by an **AWS Backup backup plan** when resource assignments include the cluster, either explicitly, by tags, or via an appropriate resource scope.", + "Risk": "Lack of centralized backups enables irreversible **data loss** and **corruption**, reducing **availability** and **integrity**. Accidental deletion, ransomware, or bad changes may become unrecoverable. Weak retention or no immutability undermines rollback and can breach recovery objectives.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-26" + ], "Remediation": { "Code": { - "CLI": "aws backup create-backup-plan --backup-plan , aws backup tag-resource --resource-arn --tags Key=backup,Value=true", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-26", - "Terraform": "" + "CLI": "aws backup create-backup-selection --backup-plan-id --backup-selection '{\"SelectionName\":\"rds-clusters\",\"IamRoleArn\":\"arn:aws:iam:::role/service-role/AWSBackupDefaultServiceRole\",\"Resources\":[\"arn:aws:rds:*:*:cluster:*\"]}'", + "NativeIaC": "```yaml\n# CloudFormation: assign RDS clusters to an AWS Backup plan\nResources:\n :\n Type: AWS::Backup::BackupSelection\n Properties:\n BackupPlanId: \"\"\n BackupSelection:\n SelectionName: \"rds-clusters\"\n IamRoleArn: \"arn:aws:iam:::role/service-role/AWSBackupDefaultServiceRole\"\n Resources:\n - \"arn:aws:rds:*:*:cluster:*\" # Critical: includes all RDS clusters in the plan to mark them protected\n```", + "Other": "1. In the AWS Backup console, go to Settings > Service opt-in and enable RDS if it is not enabled.\n2. Go to Backup plans and select an existing plan (create a minimal plan if none exists).\n3. Click Assign resources.\n4. Set a name and choose IAM role: AWSBackupDefaultServiceRole.\n5. Under Resources, choose By resource ID and select the target RDS DB cluster (or use the ARN), then click Assign resources.\n6. The cluster now appears as protected by the backup plan.", + "Terraform": "```hcl\n# Assign RDS clusters to an existing AWS Backup plan\nresource \"aws_backup_selection\" \"\" {\n name = \"rds-clusters\"\n plan_id = \"\"\n iam_role_arn = \"arn:aws:iam:::role/service-role/AWSBackupDefaultServiceRole\"\n\n resources = [\n \"arn:aws:rds:*:*:cluster:*\" # Critical: includes all RDS clusters in the plan to pass the check\n ]\n}\n```" }, "Recommendation": { - "Text": "Create a backup plan for the RDS cluster to protect it from data loss, accidental deletion, or corruption.", - "Url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html" + "Text": "Include RDS clusters in an **AWS Backup backup plan**. Apply **defense in depth**: define schedules and retention, enable immutable vault controls and cross-Region copies, use tags for consistent coverage, enforce **least privilege** for backup roles, and regularly test restores to validate RPO/RTO.", + "Url": "https://hub.prowler.com/check/rds_cluster_protected_by_backup_plan" } }, - "Categories": [], + "Categories": [ + "resilience" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_cluster_storage_encrypted/rds_cluster_storage_encrypted.metadata.json b/prowler/providers/aws/services/rds/rds_cluster_storage_encrypted/rds_cluster_storage_encrypted.metadata.json index 9575463b3c..67267e6a47 100644 --- a/prowler/providers/aws/services/rds/rds_cluster_storage_encrypted/rds_cluster_storage_encrypted.metadata.json +++ b/prowler/providers/aws/services/rds/rds_cluster_storage_encrypted/rds_cluster_storage_encrypted.metadata.json @@ -1,30 +1,40 @@ { "Provider": "aws", "CheckID": "rds_cluster_storage_encrypted", - "CheckTitle": "Check if RDS clusters storage is encrypted.", - "CheckType": [], + "CheckTitle": "RDS cluster storage is encrypted", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-cluster", - "Severity": "medium", + "ResourceIdTemplate": "", + "Severity": "high", "ResourceType": "AwsRdsDbCluster", "ResourceGroup": "database", - "Description": "Check if RDS clusters storage is encrypted.", - "Risk": "If not enabled sensitive information at rest is not protected.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html", + "Description": "**RDS DB clusters** are assessed for **encryption at rest** via AWS KMS. It determines whether cluster storage-and related artifacts like automated backups and snapshots-are encrypted with a KMS key.", + "Risk": "Unencrypted clusters expose data on disk, logs, and snapshots to unauthorized reading if storage or backups are obtained. This compromises **confidentiality**, enables offline exfiltration from leaked snapshots, and can widen blast radius during incidents and migrations.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-27", + "https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.html#Overview.Encryption.Enabling", + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html" + ], "Remediation": { "Code": { - "CLI": "aws rds create-db-cluster --db-cluster-identifier --db-cluster-class --engine --storage-encrypted true", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-27", - "Terraform": "" + "CLI": "", + "NativeIaC": "```yaml\n# CloudFormation: Create an encrypted RDS/Aurora DB cluster\nResources:\n :\n Type: AWS::RDS::DBCluster\n Properties:\n Engine: \n MasterUsername: \n MasterUserPassword: \n StorageEncrypted: true # Critical: enables encryption at rest for the cluster\n```", + "Other": "1. In the AWS Console, go to RDS > Databases > Create database\n2. Select your engine (Aurora or Multi-AZ DB cluster)\n3. In the configuration, enable Storage encryption (Enable encryption)\n4. Leave the KMS key as default (aws/rds or aws/aurora) unless you require a custom key\n5. Create the cluster, migrate traffic, then delete the unencrypted cluster", + "Terraform": "```hcl\n# Terraform: Create an encrypted RDS/Aurora DB cluster\nresource \"aws_rds_cluster\" \"\" {\n engine = \"\"\n master_username = \"\"\n master_password = \"\"\n storage_encrypted = true # Critical: enables encryption at rest for the cluster\n}\n```" }, "Recommendation": { - "Text": "Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.html#Overview.Encryption.Enabling" + "Text": "Create clusters with `StorageEncrypted=true` using **AWS KMS**, preferably **customer-managed keys**. Apply **least privilege** to key usage, enable rotation and monitoring, and separate key administration from DB operations. Ensure snapshots and cross-account copies remain encrypted for **defense in depth**.", + "Url": "https://hub.prowler.com/check/rds_cluster_storage_encrypted" } }, - "Categories": [], + "Categories": [ + "encryption" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_instance_backup_enabled/rds_instance_backup_enabled.metadata.json b/prowler/providers/aws/services/rds/rds_instance_backup_enabled/rds_instance_backup_enabled.metadata.json index 50da9652bb..5c10c56b9c 100644 --- a/prowler/providers/aws/services/rds/rds_instance_backup_enabled/rds_instance_backup_enabled.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_backup_enabled/rds_instance_backup_enabled.metadata.json @@ -1,30 +1,40 @@ { "Provider": "aws", "CheckID": "rds_instance_backup_enabled", - "CheckTitle": "Check if RDS instances have backup enabled.", - "CheckType": [], + "CheckTitle": "RDS instance has backup retention period greater than 0 days", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", + "Effects/Data Destruction" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "Check if RDS instances have backup enabled.", - "Risk": "If backup is not enabled, data is vulnerable. Human error or bad actors could erase or modify data.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html", + "Description": "**RDS DB instances** are evaluated for **automated backups** by confirming the backup retention period is greater than `0` days, indicating point-in-time recovery is configured.", + "Risk": "Without automated backups, you lose **point-in-time recovery**, impacting **availability** and **integrity**.\n\nAccidental deletes, destructive queries, or compromised accounts can cause unrecoverable data loss and prolonged outages, preventing reliable rollback during incidents.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-automated-backups-enabled.html" + ], "Remediation": { "Code": { - "CLI": "aws rds modify-db-instance --db-instance-identifier --backup-retention-period 7 --apply-immediately", - "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-automated-backups-enabled.html", - "Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-that-rds-instances-have-backup-policy#terraform" + "CLI": "aws rds modify-db-instance --db-instance-identifier --backup-retention-period 1 --apply-immediately", + "NativeIaC": "```yaml\n# CloudFormation: enable automated backups on an RDS instance\nResources:\n :\n Type: AWS::RDS::DBInstance\n Properties:\n DBInstanceClass: db.t3.micro\n Engine: mysql\n AllocatedStorage: 20\n MasterUsername: admin\n MasterUserPassword: \n BackupRetentionPeriod: 1 # CRITICAL: Enables automated backups (>0 days)\n```", + "Other": "1. Open the AWS Management Console and go to RDS > Databases\n2. Select the target DB instance and click Modify\n3. In Backup section, set Backup retention period to 1 day (or more)\n4. Check Apply immediately\n5. Click Continue (if shown) and then Modify DB instance", + "Terraform": "```hcl\n# Terraform: enable automated backups on an RDS instance\nresource \"aws_db_instance\" \"\" {\n allocated_storage = 20\n engine = \"mysql\"\n instance_class = \"db.t3.micro\"\n username = \"admin\"\n password = \"\"\n backup_retention_period = 1 # CRITICAL: Enables automated backups (>0 days)\n}\n```" }, "Recommendation": { - "Text": "Enable automated backup for production data. Define a retention period and periodically test backup restoration. A Disaster Recovery process should be in place to govern Data Protection approach.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html" + "Text": "Enable **automated backups** with retention > `0` aligned to RPO/RTO. Regularly test restores to validate **PITR**.\n\nApply **least privilege** to backup access, encrypt snapshots, and replicate critical backups to separate locations for **defense in depth** and resilient recovery.", + "Url": "https://hub.prowler.com/check/rds_instance_backup_enabled" } }, - "Categories": [], + "Categories": [ + "resilience" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration.metadata.json b/prowler/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration.metadata.json index 490008f1b7..b50ad339dd 100644 --- a/prowler/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_certificate_expiration/rds_instance_certificate_expiration.metadata.json @@ -1,27 +1,35 @@ { "Provider": "aws", "CheckID": "rds_instance_certificate_expiration", - "CheckTitle": "Ensure that the SSL/TLS certificates configured for your Amazon RDS are not expired.", - "CheckType": [], + "CheckTitle": "RDS instance SSL/TLS certificate has more than 3 months of validity remaining", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Patch Management", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", + "ResourceIdTemplate": "", "Severity": "high", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "To maintain Amazon RDS database security and avoid interruption of the applications that are using RDS and/or Aurora databases, rotate the required SSL/TLS certificates and update the deprecated Certificate Authority (CA) certificates at the Amazon RDS instance level.", - "Risk": "Interruption of application if the certificate expires.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html", + "Description": "**RDS DB instances** are evaluated for **server certificate validity** windows, including default and **customer-managed certificates**. Certificates **expired** or **approaching expiration** (e.g., `<1 month`, `<3 months`, `3-6 months`, `>6 months`) are identified using the certificate `valid_till` date.", + "Risk": "Without timely rotation:\n- TLS failures block DB connections, impacting **availability**\n- Bypassed or weak validation enables **MITM**, risking **confidentiality** and **integrity**\n- Emergency changes increase **operational risk** and error rates", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rotate-rds-certificates.html" + ], "Remediation": { "Code": { - "CLI": "aws rds modify-db-instance --region us-east-1 --db-instance-identifier cc-project5-mysql-database --ca-certificate-identifier \"rds-ca-2019\" --apply-immediately", - "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rotate-rds-certificates.html", - "Terraform": "" + "CLI": "aws rds modify-db-instance --db-instance-identifier --ca-certificate-identifier rds-ca-rsa2048-g1 --apply-immediately", + "NativeIaC": "```yaml\n# CloudFormation: update RDS instance CA to a current certificate\nResources:\n :\n Type: AWS::RDS::DBInstance\n Properties:\n CACertificateIdentifier: rds-ca-rsa2048-g1 # CRITICAL: rotates to a valid CA to restore >3 months certificate validity\n```", + "Other": "1. In the AWS Console, go to RDS > Databases and select the DB instance\n2. Click Modify\n3. In Connectivity (or Certificate authority), select rds-ca-rsa2048-g1\n4. Check Apply immediately\n5. Click Continue (if shown) and then Modify DB instance", + "Terraform": "```hcl\n# Set a current CA on the RDS instance\nresource \"aws_db_instance\" \"\" {\n identifier = \"\"\n ca_cert_identifier = \"rds-ca-rsa2048-g1\" # CRITICAL: rotates to a valid CA to ensure certificate validity >3 months\n}\n```" }, "Recommendation": { - "Text": "To maintain Amazon RDS database security and avoid interruption of the applications that are using RDS and/or Aurora databases, rotate the required SSL/TLS certificates and update the deprecated Certificate Authority (CA) certificates at the Amazon RDS instance level.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html" + "Text": "Establish a **certificate lifecycle** for RDS:\n- Rotate server/CA certs well before expiry; avoid pinned or outdated CAs\n- Keep client trust stores current and enforce TLS with validation\n- Monitor expiry and automate alerts/rotation\n- For custom certs, apply **least privilege**, **separation of duties**, and periodic key rotation; test changes", + "Url": "https://hub.prowler.com/check/rds_instance_certificate_expiration" } }, "Categories": [ diff --git a/prowler/providers/aws/services/rds/rds_instance_copy_tags_to_snapshots/rds_instance_copy_tags_to_snapshots.metadata.json b/prowler/providers/aws/services/rds/rds_instance_copy_tags_to_snapshots/rds_instance_copy_tags_to_snapshots.metadata.json index 5711cbdff2..4258b0d101 100644 --- a/prowler/providers/aws/services/rds/rds_instance_copy_tags_to_snapshots/rds_instance_copy_tags_to_snapshots.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_copy_tags_to_snapshots/rds_instance_copy_tags_to_snapshots.metadata.json @@ -1,27 +1,34 @@ { "Provider": "aws", "CheckID": "rds_instance_copy_tags_to_snapshots", - "CheckTitle": "Check if RDS DB instances have copy tags to snapshots enabled", - "CheckType": [], + "CheckTitle": "RDS DB instance has copy tags to snapshots enabled", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", + "ResourceIdTemplate": "", "Severity": "low", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "Check if RDS DB instances have copy tags to snapshots enabled, Aurora instances can not have this feature enabled at this level, they will have it at cluster level", - "Risk": "If RDS instances are not configured to copy tags to snapshots, it could lead to compliance issues as the snapshots will not inherit necessary metadata such as environment, owner, or purpose tags. This could result in inefficient tracking and management of RDS resources and their snapshots.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html#USER_Tagging.CopyTags", + "Description": "**RDS DB instances** are assessed for propagating instance tags to their **DB snapshots** using `CopyTagsToSnapshot`.\n\n*Aurora engines manage this at the cluster level and aren't evaluated per instance.*", + "Risk": "Snapshots without inherited tags lose ownership, environment, and sensitivity context, degrading visibility and governance. Missing metadata weakens **ABAC**, cost allocation, and lifecycle policies, enabling unintended backup access, orphaned snapshots, and retention drift that impact confidentiality and availability.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-enable-tags-snapshot-rds-instance.html", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-17", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/copy-tags-to-snapshot.html" + ], "Remediation": { "Code": { - "CLI": "aws rds modify-db-instance --db-instance-identifier --copy-tags-to-snapshot", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-17", - "Terraform": "" + "CLI": "aws rds modify-db-instance --db-instance-identifier --copy-tags-to-snapshot --apply-immediately", + "NativeIaC": "```yaml\n# CloudFormation: enable copying tags to snapshots on an RDS DB instance\nResources:\n :\n Type: AWS::RDS::DBInstance\n Properties:\n CopyTagsToSnapshot: true # Critical: ensures DB instance tags are copied to snapshots\n```", + "Other": "1. In the AWS Console, go to RDS > Databases and select the non-Aurora DB instance\n2. Click Modify\n3. Under Additional configuration, enable Copy tags to snapshots\n4. Check Apply immediately and click Modify DB instance", + "Terraform": "```hcl\n# Terraform: enable copying tags to snapshots on an RDS DB instance\nresource \"aws_db_instance\" \"\" {\n copy_tags_to_snapshot = true # Critical: ensures DB instance tags are copied to snapshots\n}\n```" }, "Recommendation": { - "Text": "Ensure that the `CopyTagsToSnapshot` setting is enabled for all RDS instances to propagate instance tags to their snapshots for improved tracking and compliance.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html" + "Text": "Enable `CopyTagsToSnapshot` on non-Aurora RDS instances so snapshots inherit required metadata. Establish a consistent **tag taxonomy** and automate enforcement to support **least privilege** via ABAC, cost tracking, and retention controls. For Aurora, configure tag copy at the cluster level.", + "Url": "https://hub.prowler.com/check/rds_instance_copy_tags_to_snapshots" } }, "Categories": [], diff --git a/prowler/providers/aws/services/rds/rds_instance_critical_event_subscription/rds_instance_critical_event_subscription.metadata.json b/prowler/providers/aws/services/rds/rds_instance_critical_event_subscription/rds_instance_critical_event_subscription.metadata.json index e26e7b984a..97f17a6a96 100644 --- a/prowler/providers/aws/services/rds/rds_instance_critical_event_subscription/rds_instance_critical_event_subscription.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_critical_event_subscription/rds_instance_critical_event_subscription.metadata.json @@ -1,32 +1,40 @@ { "Provider": "aws", "CheckID": "rds_instance_critical_event_subscription", - "CheckTitle": "Check if RDS Instances events are subscribed.", + "CheckTitle": "RDS instance event subscription is enabled for maintenance, configuration change, and failure categories", "CheckType": [ - "Software and Configuration Checks, AWS Security Best Practices" + "Software and Configuration Checks/AWS Security Best Practices" ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", - "Severity": "low", + "ResourceIdTemplate": "", + "Severity": "medium", "ResourceType": "AwsRdsEventSubscription", "ResourceGroup": "database", - "Description": "Ensure that Amazon RDS event notification subscriptions are enabled for database database events, particularly maintenance, configuration change and failure.", - "Risk": "Without event subscriptions for critical events, such as maintenance, configuration changes and failures, you may not be aware of issues affecting your RDS instances, leading to downtime or security vulnerabilities.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.html", + "Description": "**RDS event subscriptions** for DB instances are assessed for coverage of the critical categories `maintenance`, `configuration change`, and `failure`.\n\nThe evaluation looks for enabled `db-instance` subscriptions and confirms these categories are included or that all events are selected.", + "Risk": "Without these notifications, critical DB events go unseen, undermining **availability** and **integrity**. Missed outages, unexpected restarts, or silent parameter changes can delay response, prolong downtime, corrupt data flows, and leave misconfigurations unaddressed.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.Subscribing.html", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-instance-level-events.html", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-20" + ], "Remediation": { "Code": { - "CLI": "aws rds create-event-subscription --source-type db-instance --event-categories 'failure' 'maintenance' 'configuration change' --sns-topic-arn ", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-20", - "Terraform": "" + "CLI": "aws rds create-event-subscription --subscription-name --sns-topic-arn --source-type db-instance --event-categories \"maintenance\" \"configuration change\" \"failure\"", + "NativeIaC": "```yaml\n# CloudFormation: RDS DB instance event subscription\nResources:\n :\n Type: AWS::RDS::EventSubscription\n Properties:\n SnsTopicArn: # critical: SNS topic to receive notifications\n SourceType: db-instance # critical: subscribe to DB instance events\n EventCategories: # critical: required categories for PASS\n - maintenance\n - configuration change\n - failure\n```", + "Other": "1. Open the AWS Console and go to RDS\n2. In the left menu, select Event subscriptions > Create event subscription\n3. Send notifications to: select an existing SNS topic ()\n4. Source type: choose Instances\n5. Event categories: select Maintenance, Configuration change, and Failure\n6. Create the subscription", + "Terraform": "```hcl\n# Terraform: RDS DB instance event subscription\nresource \"aws_db_event_subscription\" \"\" {\n name = \"\"\n sns_topic = \"\"\n source_type = \"db-instance\" # critical: DB instance events\n event_categories = [\"maintenance\", \"configuration change\", \"failure\"] # critical: required categories\n}\n```" }, "Recommendation": { - "Text": "To subscribe to RDS instance event notifications, see Subscribing to Amazon RDS event notification in the Amazon RDS User Guide.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.Subscribing.html" + "Text": "Establish and sustain **RDS event subscriptions** for `db-instance` that include `maintenance`, `configuration change`, and `failure`.\n- Deliver to monitored channels (ticketing/chat/paging)\n- Enforce **least privilege** on topics\n- Test alert delivery and runbooks\n- Periodically review coverage across Regions", + "Url": "https://hub.prowler.com/check/rds_instance_critical_event_subscription" } }, - "Categories": [], + "Categories": [ + "logging" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_instance_default_admin/rds_instance_default_admin.metadata.json b/prowler/providers/aws/services/rds/rds_instance_default_admin/rds_instance_default_admin.metadata.json index 2f4ae743c4..ce8b7b036b 100644 --- a/prowler/providers/aws/services/rds/rds_instance_default_admin/rds_instance_default_admin.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_default_admin/rds_instance_default_admin.metadata.json @@ -1,30 +1,39 @@ { "Provider": "aws", "CheckID": "rds_instance_default_admin", - "CheckTitle": "Ensure that your Amazon RDS instances are not using the default master username.", - "CheckType": [], + "CheckTitle": "RDS instance does not use the default master username (admin or postgres)", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "TTPs/Credential Access" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "Ensure that your Amazon RDS instances are not using the default master username.", - "Risk": "Since admin is the Amazon's example for the RDS database master username and postgres is the default PostgreSQL master username. Many AWS customers will use this username for their RDS database instances in production. Malicious users can use this information to their advantage and frequently try to use default master username during brute-force attacks.", - "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-25", + "Description": "**RDS DB instances** are evaluated for use of a **custom administrator username**. The finding identifies instances or clusters where the admin user matches common defaults like `admin` or `postgres` (checked at the instance or cluster level).", + "Risk": "Using a predictable admin name enables **password spraying**, **credential stuffing**, and username **enumeration**. A successful login can expose data (**confidentiality**), allow tampering (**integrity**), and disrupt service (**availability**). Defaults also attract automated scans targeting known usernames.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-25", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-master-username.html#" + ], "Remediation": { "Code": { "CLI": "", - "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-master-username.html#", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-master-username.html#", - "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-master-username.html#" + "NativeIaC": "```yaml\n# CloudFormation: Create an RDS instance with a non-default master username\nResources:\n :\n Type: AWS::RDS::DBInstance\n Properties:\n Engine: mysql\n DBInstanceClass: db.t3.micro\n AllocatedStorage: 20\n MasterUsername: # Critical: use a custom admin username (not \"admin\" or \"postgres\")\n MasterUserPassword: \n```", + "Other": "1. In the AWS Console, go to RDS > Databases and click Create database\n2. Choose your engine and select Standard create\n3. In Settings, set Master username to a value that is not \"admin\" or \"postgres\"\n4. Complete creation and note the new endpoint\n5. Migrate data from the old instance to the new one (e.g., dump/restore or replication)\n6. Update applications to use the new endpoint, then delete the old instance\n7. If the instance is part of an Aurora cluster, create a new cluster with a non-default master username and migrate to it", + "Terraform": "```hcl\n# Terraform: Create an RDS instance with a non-default master username\nresource \"aws_db_instance\" \"\" {\n engine = \"mysql\"\n instance_class = \"db.t3.micro\"\n allocated_storage = 20\n username = \"\" # Critical: custom admin username (not \"admin\" or \"postgres\")\n password = \"\"\n}\n```" }, "Recommendation": { - "Text": "To change the master username configured for your Amazon RDS database instances you must re-create them and migrate the existing data.", - "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-25" + "Text": "Adopt a **unique, non-default admin username** for each database and avoid enabling default accounts.\n- Enforce **least privilege** with separate admin and app users\n- Use strong, rotated secrets in a manager and prefer **IAM DB authentication**\n- Restrict network exposure and audit authentication activity", + "Url": "https://hub.prowler.com/check/rds_instance_default_admin" } }, - "Categories": [], + "Categories": [ + "identity-access" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_instance_deletion_protection/rds_instance_deletion_protection.metadata.json b/prowler/providers/aws/services/rds/rds_instance_deletion_protection/rds_instance_deletion_protection.metadata.json index a1643359b6..7c406bef48 100644 --- a/prowler/providers/aws/services/rds/rds_instance_deletion_protection/rds_instance_deletion_protection.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_deletion_protection/rds_instance_deletion_protection.metadata.json @@ -1,30 +1,40 @@ { "Provider": "aws", "CheckID": "rds_instance_deletion_protection", - "CheckTitle": "Check if RDS instances have deletion protection enabled.", - "CheckType": [], + "CheckTitle": "RDS instance has deletion protection enabled", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", + "Effects/Data Destruction" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "Check if RDS instances have deletion protection enabled.", - "Risk": "You can only delete instances that do not have deletion protection enabled.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html", + "Description": "**RDS DB instances** are assessed for **deletion protection**. If an instance belongs to an Aurora cluster, the setting is evaluated at the cluster level; otherwise, it is evaluated on the instance itself.", + "Risk": "Without **deletion protection**, a user or pipeline can delete a database in one action, causing immediate loss of availability and possible data loss if backups are stale or missing. This heightens exposure to insider misuse, compromised credentials, or faulty automation, increasing recovery time and cost.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/instance-deletion-protection.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html" + ], "Remediation": { "Code": { "CLI": "aws rds modify-db-instance --db-instance-identifier --deletion-protection --apply-immediately", - "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/instance-deletion-protection.html", - "Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled#terraform" + "NativeIaC": "```yaml\n# CloudFormation: enable deletion protection\nResources:\n :\n Type: AWS::RDS::DBInstance\n Properties:\n DeletionProtection: true # Critical: enables deletion protection for standalone instances\n\n :\n Type: AWS::RDS::DBCluster\n Properties:\n DeletionProtection: true # Critical: enables deletion protection at cluster level (required for Aurora members)\n```", + "Other": "1. In the AWS console, go to RDS > Databases\n2. For a standalone DB instance: select the instance > Modify > enable Deletion protection > Continue > Apply immediately > Modify DB instance\n3. For an Aurora/clustered instance: switch to the cluster (Writer) > Modify > enable Deletion protection > Continue > Apply immediately > Modify cluster", + "Terraform": "```hcl\n# Enable deletion protection on a standalone RDS instance\nresource \"aws_db_instance\" \"\" {\n deletion_protection = true # Critical: prevents instance deletion\n}\n\n# Enable deletion protection on an RDS/Aurora cluster\nresource \"aws_rds_cluster\" \"\" {\n deletion_protection = true # Critical: prevents cluster deletion (required for instances in this cluster)\n}\n```" }, "Recommendation": { - "Text": "Enable deletion protection using the AWS Management Console for production DB instances.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html" + "Text": "Enable `deletion protection` on production RDS instances and Aurora clusters. Enforce **least privilege** for delete/modify actions and require change control to disable protection. Use **defense in depth** with reliable backups and tested restores to limit impact if a deletion occurs.", + "Url": "https://hub.prowler.com/check/rds_instance_deletion_protection" } }, - "Categories": [], + "Categories": [ + "resilience" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_instance_deprecated_engine_version/rds_instance_deprecated_engine_version.metadata.json b/prowler/providers/aws/services/rds/rds_instance_deprecated_engine_version/rds_instance_deprecated_engine_version.metadata.json index 378b8e0cac..0346756c88 100644 --- a/prowler/providers/aws/services/rds/rds_instance_deprecated_engine_version/rds_instance_deprecated_engine_version.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_deprecated_engine_version/rds_instance_deprecated_engine_version.metadata.json @@ -1,30 +1,38 @@ { "Provider": "aws", "CheckID": "rds_instance_deprecated_engine_version", - "CheckTitle": "Check if RDS instance is using a supported engine version", - "CheckType": [], + "CheckTitle": "RDS instance uses a supported engine version", + "CheckType": [ + "Software and Configuration Checks/Patch Management", + "Software and Configuration Checks/AWS Security Best Practices" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", - "Severity": "medium", + "ResourceIdTemplate": "", + "Severity": "high", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "Check if RDS is using a supported engine version for MariaDB, MySQL and PostgreSQL", - "Risk": "If not enabled RDS instances may be vulnerable to security issues", - "RelatedUrl": "https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-engine-versions.html", + "Description": "**RDS DB instances** use a **supported, non-deprecated engine version** for MariaDB, MySQL, or PostgreSQL. The instance's `engine` and `engine_version` are evaluated against versions currently supported in the region.", + "Risk": "Deprecated engine versions lack security fixes and support, enabling exploitation of known flaws impacting **confidentiality** and **integrity**. **Availability** can suffer from forced maintenance or failed upgrades.\n- Unpatched CVEs\n- TLS/client incompatibilities\n- Replication or backup/restore issues", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-engine-versions.html" + ], "Remediation": { "Code": { - "CLI": "aws rds describe-db-engine-versions --engine '", - "NativeIaC": "", - "Other": "", - "Terraform": "" + "CLI": "aws rds modify-db-instance --db-instance-identifier --engine-version --allow-major-version-upgrade --apply-immediately", + "NativeIaC": "```yaml\n# CloudFormation: upgrade RDS engine version for an existing instance\nResources:\n :\n Type: AWS::RDS::DBInstance\n Properties:\n DBInstanceIdentifier: \n Engine: \n DBInstanceClass: db.t3.micro\n EngineVersion: # CRITICAL: move to a supported engine version\n AllowMajorVersionUpgrade: true # CRITICAL: required if upgrading major version\n ApplyImmediately: true # CRITICAL: apply change now to pass the check\n```", + "Other": "1. In the AWS Console, go to RDS > Databases\n2. Select the DB instance\n3. Click Modify\n4. Under DB engine version, select a supported version\n5. If moving to a new major version, check Allow major version upgrade\n6. Check Apply immediately\n7. Click Continue, then Modify DB instance", + "Terraform": "```hcl\n# Upgrade RDS engine version\nresource \"aws_db_instance\" \"\" {\n identifier = \"\"\n engine = \"\"\n instance_class = \"db.t3.micro\"\n allocated_storage = 20\n\n engine_version = \"\" # CRITICAL: use a supported version\n allow_major_version_upgrade = true # CRITICAL: needed for major upgrades\n apply_immediately = true # CRITICAL: apply now to pass the check\n}\n```" }, "Recommendation": { - "Text": "Ensure all the RDS instances are using a supported engine version", - "Url": "https://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-engine-versions.html" + "Text": "Standardize on **supported engine versions** and keep them current.\n- Plan and test upgrades; back up and define rollback\n- Enable `AutoMinorVersionUpgrade` where acceptable\n- Monitor deprecation notices and upgrade before EoS\n- Enforce **least privilege** to limit blast radius during incidents", + "Url": "https://hub.prowler.com/check/rds_instance_deprecated_engine_version" } }, - "Categories": [], + "Categories": [ + "vulnerabilities" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_instance_enhanced_monitoring_enabled/rds_instance_enhanced_monitoring_enabled.metadata.json b/prowler/providers/aws/services/rds/rds_instance_enhanced_monitoring_enabled/rds_instance_enhanced_monitoring_enabled.metadata.json index f465173ae1..24dabf0f6a 100644 --- a/prowler/providers/aws/services/rds/rds_instance_enhanced_monitoring_enabled/rds_instance_enhanced_monitoring_enabled.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_enhanced_monitoring_enabled/rds_instance_enhanced_monitoring_enabled.metadata.json @@ -1,30 +1,39 @@ { "Provider": "aws", "CheckID": "rds_instance_enhanced_monitoring_enabled", - "CheckTitle": "Check if RDS instances has enhanced monitoring enabled.", - "CheckType": [], + "CheckTitle": "RDS instance has enhanced monitoring enabled", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", + "ResourceIdTemplate": "", "Severity": "low", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "Check if RDS instances has enhanced monitoring enabled.", - "Risk": "A smaller monitoring interval results in more frequent reporting of OS metrics.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html", + "Description": "**RDS DB instances** are evaluated for **Enhanced Monitoring** being enabled, which publishes real-time **OS-level metrics** (CPU, memory, disk, network) to CloudWatch Logs for each instance.", + "Risk": "Without **Enhanced Monitoring**, you lack **real-time OS telemetry**, delaying detection of resource saturation and abnormal activity.\n\nThis raises MTTR and risks **availability** impacts (timeouts, failovers), reduces **integrity** assurance during incidents, and weakens forensic visibility.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html", + "https://support.icompaas.com/support/solutions/articles/62000233699-ensu-rds-instances-has-enhanced-monitoring-enabled" + ], "Remediation": { "Code": { - "CLI": "aws rds create-db-instance --db-instance-identifier --db-instance-class --engine --storage-encrypted true", - "NativeIaC": "", - "Other": "", - "Terraform": "https://docs.prowler.com/checks/aws/logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances#terraform" + "CLI": "aws rds modify-db-instance --db-instance-identifier --monitoring-interval 60 --monitoring-role-arn ", + "NativeIaC": "```yaml\n# CloudFormation: enable Enhanced Monitoring on an existing RDS instance\nResources:\n :\n Type: AWS::RDS::DBInstance\n Properties:\n DBInstanceIdentifier: \n MonitoringRoleArn: # CRITICAL: IAM role RDS uses to publish OS metrics to CloudWatch Logs\n MonitoringInterval: 60 # CRITICAL: >0 enables Enhanced Monitoring (seconds)\n```", + "Other": "1. In the AWS Console, go to RDS > Databases and select the DB instance\n2. Click Modify\n3. In Monitoring, check Enable Enhanced Monitoring and set Granularity to any non-zero value (e.g., 60 seconds)\n4. Set Monitoring role to Default (creates rds-monitoring-role) or select an existing role\n5. Click Continue, then Modify DB instance to apply", + "Terraform": "```hcl\n# Enable Enhanced Monitoring on an existing RDS instance\nresource \"aws_db_instance\" \"\" {\n # ...existing required configuration...\n monitoring_role_arn = \"\" # CRITICAL: Role for publishing OS metrics\n monitoring_interval = 60 # CRITICAL: >0 enables Enhanced Monitoring (seconds)\n}\n```" }, "Recommendation": { - "Text": "To use Enhanced Monitoring, you must create an IAM role, and then enable Enhanced Monitoring.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html" + "Text": "Enable **Enhanced Monitoring** on RDS, using a `>0s` collection interval aligned to workload and cost. Assign a **least-privilege** role for log delivery, and apply **defense in depth** by centralizing logs, setting **alerts** on key OS metrics, and defining **retention** to support incident response and trend analysis.", + "Url": "https://hub.prowler.com/check/rds_instance_enhanced_monitoring_enabled" } }, - "Categories": [], + "Categories": [ + "logging" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_instance_event_subscription_parameter_groups/rds_instance_event_subscription_parameter_groups.metadata.json b/prowler/providers/aws/services/rds/rds_instance_event_subscription_parameter_groups/rds_instance_event_subscription_parameter_groups.metadata.json index b68cd7366d..73a20fe710 100644 --- a/prowler/providers/aws/services/rds/rds_instance_event_subscription_parameter_groups/rds_instance_event_subscription_parameter_groups.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_event_subscription_parameter_groups/rds_instance_event_subscription_parameter_groups.metadata.json @@ -1,30 +1,39 @@ { "Provider": "aws", "CheckID": "rds_instance_event_subscription_parameter_groups", - "CheckTitle": "Check if RDS Parameter Group events are subscribed.", - "CheckType": [], + "CheckTitle": "RDS DB parameter group event subscription is enabled and subscribes to configuration change events or all categories", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:account", + "ResourceIdTemplate": "", "Severity": "low", - "ResourceType": "AwsAccount", - "ResourceGroup": "governance", - "Description": "Ensure that Amazon RDS event notification subscriptions are enabled for database parameter groups events.", - "Risk": "Amazon RDS event subscriptions for database parameter groups are designed to provide incident notification of events that may affect the security, availability, and reliability of the RDS database instances associated with these parameter groups.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.html", + "ResourceType": "AwsRdsEventSubscription", + "ResourceGroup": "database", + "Description": "**RDS event subscriptions** for **DB parameter groups** notify on `configuration change` events (or all categories) when the subscription is enabled", + "Risk": "Missing alerts on parameter changes erodes visibility. Attackers or mistakes can lower TLS requirements, disable auditing, or relax auth, enabling data exposure (**confidentiality**), unauthorized writes (**integrity**), or outages from unsafe settings (**availability**).", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.html", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-21" + ], "Remediation": { "Code": { - "CLI": "aws rds create-event-subscription --source-type db-instance --event-categories 'configuration change' --sns-topic-arn ", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-21", - "Terraform": "" + "CLI": "aws rds create-event-subscription --subscription-name --sns-topic-arn --source-type db-parameter-group --event-categories \"configuration change\" --enabled", + "NativeIaC": "```yaml\nResources:\n :\n Type: AWS::RDS::EventSubscription\n Properties:\n SnsTopicArn: \n SourceType: db-parameter-group # Critical: targets DB parameter group events\n EventCategories:\n - configuration change # Critical: subscribes to configuration change events\n Enabled: true # Critical: subscription must be enabled\n```", + "Other": "1. In the AWS Console, go to Amazon RDS > Event subscriptions\n2. Click Create event subscription\n3. Send notifications to: select an existing SNS topic\n4. Source type: Parameter groups\n5. Event categories: select Configuration change (or choose All event categories)\n6. Ensure Enabled is On\n7. Click Create", + "Terraform": "```hcl\nresource \"aws_db_event_subscription\" \"\" {\n name = \"\"\n sns_topic = \"\"\n source_type = \"db-parameter-group\" # Critical: target DB parameter groups\n event_categories = [\"configuration change\"] # Critical: include configuration change events\n}\n```" }, "Recommendation": { - "Text": "To subscribe to RDS instance event notifications, see Subscribing to Amazon RDS event notification in the Amazon RDS User Guide.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.Subscribing.html" + "Text": "Create and maintain an **SNS-backed event subscription** for **DB parameter groups** that includes `configuration change` (or all) and keep it enabled.\n\n- Apply **least privilege** to SNS topics\n- Route to on-call/SIEM and test alerts\n- Enforce change control and monitoring across all Regions", + "Url": "https://hub.prowler.com/check/rds_instance_event_subscription_parameter_groups" } }, - "Categories": [], + "Categories": [ + "logging" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_instance_event_subscription_security_groups/rds_instance_event_subscription_security_groups.metadata.json b/prowler/providers/aws/services/rds/rds_instance_event_subscription_security_groups/rds_instance_event_subscription_security_groups.metadata.json index 9e59493988..1019190f08 100644 --- a/prowler/providers/aws/services/rds/rds_instance_event_subscription_security_groups/rds_instance_event_subscription_security_groups.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_event_subscription_security_groups/rds_instance_event_subscription_security_groups.metadata.json @@ -1,30 +1,39 @@ { "Provider": "aws", "CheckID": "rds_instance_event_subscription_security_groups", - "CheckTitle": "Check if RDS Security Group events are subscribed.", - "CheckType": [], + "CheckTitle": "RDS event subscription for DB security groups is enabled for configuration change and failure events", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:es", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsRdsEventSubscription", "ResourceGroup": "database", - "Description": "Ensure that Amazon RDS event notification subscriptions are enabled for database security groups events.", - "Risk": "Amazon RDS event subscriptions for database security groups are designed to provide incident notification of events that may affect the security, availability, and reliability of the RDS database instances associated with these security groups.", - "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-22", + "Description": "**RDS event subscriptions** are evaluated for **database security group** events. The check expects an enabled subscription with source type `db-security-group` that includes the `configuration change` and `failure` event categories.", + "Risk": "Missing alerts on **security group changes** or **failures** reduces visibility and slows response. Undetected rule changes can expose databases, while unnoticed failures prolong outages, impacting **confidentiality** and **availability** through unauthorized access or service disruption.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-db-security-groups-events.html#", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-22" + ], "Remediation": { "Code": { - "CLI": "", - "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-db-security-groups-events.html#", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-db-security-groups-events.html#", - "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-db-security-groups-events.html#" + "CLI": "aws rds create-event-subscription --subscription-name --sns-topic-arn --source-type db-security-group --event-categories \"configuration change\" \"failure\"", + "NativeIaC": "```yaml\nResources:\n :\n Type: AWS::RDS::EventSubscription\n Properties:\n SnsTopicArn: \n SourceType: db-security-group # Critical: subscribe to DB security group events\n EventCategories: # Critical: required categories\n - configuration change\n - failure\n```", + "Other": "1. Open the AWS Console > RDS > Event subscriptions\n2. Click Create event subscription\n3. Set Name to and select an existing SNS topic\n4. Set Source type to Security group\n5. Under Event categories, select Configuration change and Failure\n6. Leave Targets as All security groups (no specific IDs)\n7. Ensure Enabled is On and click Create", + "Terraform": "```hcl\nresource \"aws_db_event_subscription\" \"\" {\n name = \"\"\n sns_topic = \"\"\n source_type = \"db-security-group\" # Critical: DB security group events\n event_categories = [\"configuration change\", \"failure\"] # Critical: required categories\n}\n```" }, "Recommendation": { - "Text": "To subscribe to RDS instance event notifications, see Subscribing to Amazon RDS event notification in the Amazon RDS User Guide.", - "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-22" + "Text": "Create or update an **RDS event subscription** for source type `db-security-group` including `configuration change` and `failure`. Route alerts to monitored channels, restrict topic access (**least privilege**), integrate with **incident response**, and enforce change control and **separation of duties** for security group updates.", + "Url": "https://hub.prowler.com/check/rds_instance_event_subscription_security_groups" } }, - "Categories": [], + "Categories": [ + "logging" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_instance_iam_authentication_enabled/rds_instance_iam_authentication_enabled.metadata.json b/prowler/providers/aws/services/rds/rds_instance_iam_authentication_enabled/rds_instance_iam_authentication_enabled.metadata.json index f7c6f6af53..be4c4fa856 100644 --- a/prowler/providers/aws/services/rds/rds_instance_iam_authentication_enabled/rds_instance_iam_authentication_enabled.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_iam_authentication_enabled/rds_instance_iam_authentication_enabled.metadata.json @@ -1,30 +1,41 @@ { "Provider": "aws", "CheckID": "rds_instance_iam_authentication_enabled", - "CheckTitle": "Check if RDS instances have IAM authentication enabled.", - "CheckType": [], + "CheckTitle": "RDS instance has IAM database authentication enabled", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", + "TTPs/Credential Access" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "Check if RDS instances have IAM authentication enabled.", - "Risk": "Ensure that the IAM Database Authentication feature is enabled for your RDS database instances in order to use the Identity and Access Management (IAM) service to manage database access to your MySQL and PostgreSQL database instances. With this feature enabled, you don't have to use a password when you connect to your MySQL/PostgreSQL database, instead you can use an authentication token. An authentication token is a unique string of characters with a lifetime of 15 minutes that Amazon RDS generates on your request. IAM Database Authentication removes the need of storing user credentials within the database configuration, because authentication is managed externally using Amazon IAM.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Enabling.html", + "Description": "**RDS DB instances** using MySQL, MariaDB, or PostgreSQL engines (including Aurora variants) have **IAM database authentication** enabled at the instance level or, when part of a cluster, evaluated for cluster-level enablement.", + "Risk": "Absent **IAM-based, short-lived tokens**, databases rely on **static passwords** in code and configs, increasing theft and reuse.\n\nCompromised DB creds enable unauthorized queries, leading to **data exfiltration** and tampering, and weaken **centralized access control** and rotation.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-10", + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Enabling.html", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/iam-database-authentication.html#" + ], "Remediation": { "Code": { - "CLI": "aws rds modify-db-instance --region --db-instance-identifier --enable-iam-database-authentication --apply-immediately", - "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/iam-database-authentication.html#", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-10", - "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/iam-database-authentication.html#" + "CLI": "aws rds modify-db-instance --db-instance-identifier --enable-iam-database-authentication --apply-immediately", + "NativeIaC": "```yaml\n# CloudFormation: enable IAM DB authentication on an RDS instance\nResources:\n :\n Type: AWS::RDS::DBInstance\n Properties:\n DBInstanceIdentifier: \n EnableIAMDatabaseAuthentication: true # Critical: enables IAM DB auth to pass the check\n```", + "Other": "1. In the AWS console, go to RDS > Databases\n2. Select the DB instance and choose Modify\n3. Under Database authentication, select \"Password and IAM database authentication\"\n4. Choose Apply immediately and click Modify DB instance\n5. If the instance is part of an Aurora DB cluster: select the DB cluster instead, choose Modify, enable IAM database authentication, Apply immediately, then Modify", + "Terraform": "```hcl\n# Enable IAM DB authentication on an RDS instance\nresource \"aws_db_instance\" \"\" {\n iam_database_authentication_enabled = true # Critical: enables IAM DB auth to pass the check\n}\n```" }, "Recommendation": { - "Text": "Enable IAM authentication for supported RDS instances.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Enabling.html" + "Text": "Enable **IAM database authentication** for supported engines and apply **least privilege** with scoped IAM policies. Prefer **short-lived tokens** over static DB passwords, enforce TLS, and phase out embedded credentials.\n\nMonitor authentication activity with audit logs for **defense in depth**.", + "Url": "https://hub.prowler.com/check/rds_instance_iam_authentication_enabled" } }, - "Categories": [], + "Categories": [ + "identity-access" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_instance_inside_vpc/rds_instance_inside_vpc.metadata.json b/prowler/providers/aws/services/rds/rds_instance_inside_vpc/rds_instance_inside_vpc.metadata.json index 12aaa01559..c9f5fd2c96 100644 --- a/prowler/providers/aws/services/rds/rds_instance_inside_vpc/rds_instance_inside_vpc.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_inside_vpc/rds_instance_inside_vpc.metadata.json @@ -1,32 +1,40 @@ { "Provider": "aws", "CheckID": "rds_instance_inside_vpc", - "CheckTitle": "Check if RDS instances are deployed within a VPC.", + "CheckTitle": "RDS instance is deployed in a VPC", "CheckType": [ - "Software and Configuration Checks, AWS Security Best Practices" + "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", + "ResourceIdTemplate": "", "Severity": "high", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "Check if RDS instances are deployed within a VPC.", - "Risk": "If your RDS instances are not deployed within a VPC, they are not isolated from the public internet and are exposed to potential security threats. Deploying RDS instances within a VPC allows you to control inbound and outbound traffic to and from the instances, and provides an additional layer of security to your database instances.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Subnets", + "Description": "**RDS DB instances** are assessed for **VPC placement** by the presence of a `vpc_id` indicating deployment within a VPC.\n\nInstances without this association are treated as outside VPC networking.", + "Risk": "Without VPC isolation, databases may expose internet-reachable endpoints and lack granular network controls. This degrades **confidentiality** and **availability** via scanning/brute force and data exfiltration, and threatens **integrity** through unauthorized connections and lateral movement.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-18", + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Subnets" + ], "Remediation": { "Code": { - "CLI": "aws rds modify-db-instance --db-instance-identifier --vpc-security-group-ids ", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-18", - "Terraform": "" + "CLI": "aws rds modify-db-instance --db-instance-identifier --db-subnet-group-name --apply-immediately", + "NativeIaC": "```yaml\n# CloudFormation: move RDS instance into a VPC by assigning a DB subnet group\nResources:\n :\n Type: AWS::RDS::DBSubnetGroup\n Properties:\n DBSubnetGroupDescription: \"subnets for rds\"\n SubnetIds:\n - # CRITICAL: Subnets in the target VPC\n - # CRITICAL: At least two AZs recommended\n\n :\n Type: AWS::RDS::DBInstance\n Properties:\n DBSubnetGroupName: !Ref # CRITICAL: Ensures the DB instance is deployed in a VPC\n```", + "Other": "1. In the AWS Console, go to RDS > Subnet groups and create/select a DB subnet group in the target VPC (with subnets in at least two AZs)\n2. Go to RDS > Databases, select the DB instance, click Modify\n3. Under Connectivity, set DB subnet group to the VPC subnet group from step 1 (select a VPC security group if prompted)\n4. Check Apply immediately and choose Continue > Modify DB instance", + "Terraform": "```hcl\n# Terraform: ensure RDS instance is in a VPC via DB subnet group\nresource \"aws_db_subnet_group\" \"\" {\n name = \"\"\n subnet_ids = [\n \"\", # CRITICAL: Subnets in the target VPC\n \"\"\n ]\n}\n\nresource \"aws_db_instance\" \"\" {\n identifier = \"\"\n db_subnet_group_name = aws_db_subnet_group..name # CRITICAL: Places instance in a VPC\n}\n```" }, "Recommendation": { - "Text": "Ensure that your RDS instances are deployed within a VPC to provide an additional layer of security to your database instances.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html" + "Text": "Deploy all RDS instances in a **VPC**, preferably in **private subnets**. Enforce **least privilege** with security groups, network ACLs, and restrictive routing. Use private connectivity (peering, VPN, Direct Connect), avoid public exposure, and apply **defense in depth** through segmentation and monitoring.", + "Url": "https://hub.prowler.com/check/rds_instance_inside_vpc" } }, - "Categories": [], + "Categories": [ + "trust-boundaries" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_instance_integration_cloudwatch_logs/rds_instance_integration_cloudwatch_logs.metadata.json b/prowler/providers/aws/services/rds/rds_instance_integration_cloudwatch_logs/rds_instance_integration_cloudwatch_logs.metadata.json index ee5f8b282b..4d4834143d 100644 --- a/prowler/providers/aws/services/rds/rds_instance_integration_cloudwatch_logs/rds_instance_integration_cloudwatch_logs.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_integration_cloudwatch_logs/rds_instance_integration_cloudwatch_logs.metadata.json @@ -1,27 +1,35 @@ { "Provider": "aws", "CheckID": "rds_instance_integration_cloudwatch_logs", - "CheckTitle": "Check if RDS instances is integrated with CloudWatch Logs.", - "CheckType": [], + "CheckTitle": "RDS instance exports logs to CloudWatch Logs", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "Check if RDS instances is integrated with CloudWatch Logs.", - "Risk": "If logs are not enabled, monitoring of service use and threat analysis is not possible.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/publishing_cloudwatchlogs.html", + "Description": "**RDS DB instances** are configured to **publish database logs** to **CloudWatch Logs** (e.g., `error`, `general`, `slowquery`, `audit`).\n\nThe evaluation identifies instances that have log exports enabled to a CloudWatch log group.", + "Risk": "Without centralized RDS logs, database activity lacks visibility, hindering detection and response. Credential misuse, SQL injection, data exfiltration, and privilege abuse may go unnoticed, risking **confidentiality** and **integrity**. Unseen errors and slow queries can lead to outages, impacting **availability**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/log-exports.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/publishing_cloudwatchlogs.html", + "https://repost.aws/knowledge-center/rds-aurora-mysql-logs-cloudwatch" + ], "Remediation": { "Code": { - "CLI": "aws rds modify-db-instance --db-instance-identifier --cloudwatch-logs-export-configuration {'EnableLogTypes':['audit',error','general','slowquery']} --apply-immediately", - "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/log-exports.html", - "Terraform": "https://docs.prowler.com/checks/aws/iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled#terraform" + "CLI": "aws rds modify-db-instance --db-instance-identifier --cloudwatch-logs-export-configuration '{\"EnableLogTypes\":[\"\"]}'", + "NativeIaC": "```yaml\nResources:\n :\n Type: AWS::RDS::DBInstance\n Properties:\n DBInstanceIdentifier: \n # Critical: enabling at least one log type exports it to CloudWatch Logs and makes the check PASS\n EnableCloudwatchLogsExports:\n - \n```", + "Other": "1. Open AWS Console > RDS > Databases\n2. Select your DB instance and choose Modify\n3. In Log exports, select at least one supported log type (e.g., error/general/slowquery/audit/postgresql/alert)\n4. Choose Continue, then Modify DB instance", + "Terraform": "```hcl\nresource \"aws_db_instance\" \"\" {\n identifier = \"\"\n # Critical: export at least one supported log type to CloudWatch Logs to pass the check\n enabled_cloudwatch_logs_exports = [\"\"]\n}\n```" }, "Recommendation": { - "Text": "Use CloudWatch Logs to perform real-time analysis of the log data. Create alarms and view metrics.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/publishing_cloudwatchlogs.html" + "Text": "Enable export of relevant RDS logs to **CloudWatch Logs** (`error`, `general`, `slowquery`, `audit`) and standardize across engines. Enforce **least privilege** on log access, set retention, and define metrics/alarms for critical patterns. Integrate with a SIEM. Apply **separation of duties** and **defense in depth** to protect log integrity and monitoring.", + "Url": "https://hub.prowler.com/check/rds_instance_integration_cloudwatch_logs" } }, "Categories": [ diff --git a/prowler/providers/aws/services/rds/rds_instance_minor_version_upgrade_enabled/rds_instance_minor_version_upgrade_enabled.metadata.json b/prowler/providers/aws/services/rds/rds_instance_minor_version_upgrade_enabled/rds_instance_minor_version_upgrade_enabled.metadata.json index 8951a849aa..8a11bbeb38 100644 --- a/prowler/providers/aws/services/rds/rds_instance_minor_version_upgrade_enabled/rds_instance_minor_version_upgrade_enabled.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_minor_version_upgrade_enabled/rds_instance_minor_version_upgrade_enabled.metadata.json @@ -1,30 +1,38 @@ { "Provider": "aws", "CheckID": "rds_instance_minor_version_upgrade_enabled", - "CheckTitle": "Ensure RDS instances have minor version upgrade enabled.", - "CheckType": [], + "CheckTitle": "RDS instance has minor version upgrade enabled", + "CheckType": [ + "Software and Configuration Checks/Patch Management" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", - "Severity": "low", + "ResourceIdTemplate": "", + "Severity": "medium", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "Ensure RDS instances have minor version upgrade enabled.", - "Risk": "Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs and therefore should be applied.", - "RelatedUrl": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/", + "Description": "**RDS DB instances** are evaluated for the `auto_minor_version_upgrade` setting that enables **automatic minor engine updates** during maintenance windows.", + "Risk": "Without automatic minor upgrades, databases miss **security patches**, leaving known vulnerabilities exploitable and risking **unauthorized data access**. Unapplied fixes can cause **data corruption** and outages, harming **integrity** and **availability**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-auto-minor-version-upgrade.html" + ], "Remediation": { "Code": { "CLI": "aws rds modify-db-instance --db-instance-identifier --auto-minor-version-upgrade --apply-immediately", - "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically#cloudformation", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-auto-minor-version-upgrade.html", - "Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically#terraform" + "NativeIaC": "```yaml\n# CloudFormation: Enable auto minor version upgrades on an RDS instance\nResources:\n :\n Type: AWS::RDS::DBInstance\n Properties:\n DBInstanceIdentifier: \n DBInstanceClass: db.t3.micro\n Engine: mysql\n MasterUsername: \n MasterUserPassword: \n AllocatedStorage: '20'\n AutoMinorVersionUpgrade: true # Critical: ensures RDS applies minor engine updates automatically\n```", + "Other": "1. In the AWS Console, go to RDS > Databases\n2. Select the DB instance and click Modify\n3. Find \"Auto minor version upgrade\" and set it to Enable\n4. Click Continue, check Apply immediately, then click Modify DB instance", + "Terraform": "```hcl\n# Enable auto minor version upgrades on an RDS instance\nresource \"aws_db_instance\" \"\" {\n allocated_storage = 20\n engine = \"mysql\"\n instance_class = \"db.t3.micro\"\n username = \"\"\n password = \"\"\n auto_minor_version_upgrade = true # Critical: turns on automatic minor engine upgrades\n}\n```" }, "Recommendation": { - "Text": "Enable auto minor version upgrade for all databases and environments.", - "Url": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/" + "Text": "Enable `auto_minor_version_upgrade` on RDS instances so minor releases are applied promptly. Use maintenance windows and stage testing to limit impact. Follow **defense in depth** and **least privilege**; keep reliable backups and Multi-AZ to preserve continuity if upgrades require rollback.", + "Url": "https://hub.prowler.com/check/rds_instance_minor_version_upgrade_enabled" } }, - "Categories": [], + "Categories": [ + "vulnerabilities" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_instance_multi_az/rds_instance_multi_az.metadata.json b/prowler/providers/aws/services/rds/rds_instance_multi_az/rds_instance_multi_az.metadata.json index 0fc8188164..b2430589a7 100644 --- a/prowler/providers/aws/services/rds/rds_instance_multi_az/rds_instance_multi_az.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_multi_az/rds_instance_multi_az.metadata.json @@ -1,31 +1,37 @@ { "Provider": "aws", "CheckID": "rds_instance_multi_az", - "CheckTitle": "Check if RDS instances have multi-AZ enabled.", - "CheckType": [], + "CheckTitle": "RDS instance has Multi-AZ enabled", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "Check if RDS instances have multi-AZ enabled.", - "Risk": "In case of failure, with a single-AZ deployment configuration, should an availability zone specific database failure occur, Amazon RDS can not automatically fail over to the standby availability zone.", - "RelatedUrl": "https://aws.amazon.com/rds/features/multi-az/", + "Description": "**RDS DB instances** are evaluated for **Multi-AZ** configuration, either enabled on the instance or inherited from the associated DB cluster.", + "Risk": "Without **Multi-AZ**, an Availability Zone or instance failure can cause extended downtime and rely on restores, risking loss of recent writes. This degrades **availability** and may affect **integrity**, interrupting applications and breaching SLAs.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-multi-az.html", + "https://aws.amazon.com/rds/features/multi-az/" + ], "Remediation": { "Code": { - "CLI": "aws rds create-db-instance --db-instance-identifier --multi-az true", - "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/general_73#cloudformation", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-multi-az.html", - "Terraform": "https://docs.prowler.com/checks/aws/general-policies/general_73#terraform" + "CLI": "aws rds modify-db-instance --db-instance-identifier --multi-az --apply-immediately", + "NativeIaC": "```yaml\n# CloudFormation: enable Multi-AZ on an existing RDS DB instance\nResources:\n RDSInstance:\n Type: AWS::RDS::DBInstance\n Properties:\n MultiAZ: true # Critical: enables Multi-AZ to pass the check\n```", + "Other": "1. Open the AWS Management Console and go to RDS > Databases\n2. Select the affected DB instance and click Modify\n3. Under Availability & durability, set Multi-AZ deployment to Enabled (create a standby)\n4. Check Apply immediately\n5. Click Continue, then Modify DB instance\n6. Wait until status is Available and Multi-AZ shows Yes", + "Terraform": "```hcl\n# Enable Multi-AZ on an RDS DB instance\nresource \"aws_db_instance\" \"example\" {\n multi_az = true # Critical: enables Multi-AZ to pass the check\n}\n```" }, "Recommendation": { - "Text": "Enable multi-AZ deployment for production databases.", - "Url": "https://aws.amazon.com/rds/features/multi-az/" + "Text": "Apply fault-tolerance and redundancy principles: enable **Multi-AZ** for production RDS workloads. Choose one standby or two readable standbys based on RTO/RPO and performance needs. Regularly test failover, monitor configuration drift, and allow exceptions only with documented, risk-based approval.", + "Url": "https://hub.prowler.com/check/rds_instance_multi_az" } }, "Categories": [ - "redundancy" + "resilience" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access.metadata.json b/prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access.metadata.json index 390504cca9..6f64cf9d90 100644 --- a/prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_no_public_access/rds_instance_no_public_access.metadata.json @@ -1,27 +1,37 @@ { "Provider": "aws", "CheckID": "rds_instance_no_public_access", - "CheckTitle": "Ensure there are no Public Accessible RDS instances.", - "CheckType": [], + "CheckTitle": "RDS instance is not publicly exposed to the Internet", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", + "TTPs/Initial Access" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", + "ResourceIdTemplate": "", "Severity": "critical", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "Ensure there are no Public Accessible RDS instances.", - "Risk": "Publicly accessible databases could expose sensitive data to bad actors.", - "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-public-access-check.html", + "Description": "**RDS DB instances** are assessed for **internet exposure** using the `PubliclyAccessible` setting, security group ingress to the DB port from any address, and whether subnets are **public**. Instances that combine an internet-facing endpoint, open ingress, and public subnets are identified.", + "Risk": "An internet-reachable database invites:\n- Brute-force and vulnerability probing, risking **availability** and **integrity**\n- Unauthorized queries and dumps leading to **confidentiality** loss\n\nCompromise can enable **lateral movement** and persistence within the VPC.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-public-access-check.html", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-publicly-accessible.html", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html" + ], "Remediation": { "Code": { "CLI": "aws rds modify-db-instance --db-instance-identifier --no-publicly-accessible --apply-immediately", - "NativeIaC": "https://docs.prowler.com/checks/aws/public-policies/public_2#cloudformation", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-publicly-accessible.html", - "Terraform": "https://docs.prowler.com/checks/aws/public-policies/public_2#terraform" + "NativeIaC": "```yaml\n# CloudFormation: make the RDS instance private\nResources:\n :\n Type: AWS::RDS::DBInstance\n Properties:\n DBInstanceIdentifier: \n PubliclyAccessible: false # CRITICAL: disables public access so the instance is not Internet-facing\n```", + "Other": "1. In the AWS console, go to RDS > Databases and select your DB instance\n2. Click Modify\n3. In Connectivity (Connectivity & security), set Public access to No (Not publicly accessible)\n4. Choose Continue, select Apply immediately (or during the next window), then click Modify DB instance", + "Terraform": "```hcl\n# Ensure the RDS instance is not publicly accessible\nresource \"aws_db_instance\" \"\" {\n publicly_accessible = false # CRITICAL: disables public access (no public endpoint)\n}\n```" }, "Recommendation": { - "Text": "Using an AWS Config rule check for RDS public instances periodically and check there is a business reason for it.", - "Url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-public-access-check.html" + "Text": "Keep databases private by applying **least privilege** at the network layer:\n- Set `PubliclyAccessible` to `false`\n- Place instances in private subnets\n- Deny `0.0.0.0/0` and `::/0` on the DB port\n- Expose access via private endpoints, VPN, or an application tier/DB proxy\n\nAdopt **defense in depth** with monitoring and strong auth.", + "Url": "https://hub.prowler.com/check/rds_instance_no_public_access" } }, "Categories": [ diff --git a/prowler/providers/aws/services/rds/rds_instance_non_default_port/rds_instance_non_default_port.metadata.json b/prowler/providers/aws/services/rds/rds_instance_non_default_port/rds_instance_non_default_port.metadata.json index 98a80abaa7..73d731a471 100644 --- a/prowler/providers/aws/services/rds/rds_instance_non_default_port/rds_instance_non_default_port.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_non_default_port/rds_instance_non_default_port.metadata.json @@ -1,29 +1,35 @@ { "Provider": "aws", "CheckID": "rds_instance_non_default_port", - "CheckTitle": "Check if RDS instances are using non-default ports.", + "CheckTitle": "RDS instance uses a non-default port for its engine", "CheckType": [ - "Software and Configuration Checks/AWS Security Best Practices" + "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", + "TTPs/Discovery" ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", + "ResourceIdTemplate": "", "Severity": "low", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "Checks if an instance uses a port other than the default port of the database engine. The control fails if the RDS instance uses the default port.", - "Risk": "Using a default database port exposes the instance to potential security vulnerabilities, as attackers are more likely to target known, commonly-used ports. This may result in unauthorized access to the database or increased susceptibility to automated attacks.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html", + "Description": "**RDS DB instances** are evaluated for use of a port that differs from the engine's default. Matching an engine with its default port-`3306` (MySQL/MariaDB/Aurora MySQL), `5432` (PostgreSQL/Aurora), `1521` (Oracle), `1433` (SQL Server), `50000` (Db2)-indicates the instance uses the default listener.", + "Risk": "Using a **default DB port** increases exposure to broad scans and eases **service fingerprinting**. With weak network controls, attackers can run **credential brute force**, target known **engine exploits**, or trigger **DoS** on the predictable port, threatening confidentiality and availability.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-default-port.html", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-23", + "https://docs.aws.amazon.com/cli/latest/reference/rds/modify-db-instance.html" + ], "Remediation": { "Code": { - "CLI": "aws rds modify-db-instance --db-instance-identifier --port ", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-23", - "Terraform": "" + "CLI": "aws rds modify-db-instance --db-instance-identifier --db-port ", + "NativeIaC": "```yaml\n# CloudFormation: set a non-default port on an RDS instance\nResources:\n :\n Type: AWS::RDS::DBInstance\n Properties:\n Port: # Critical: use a non-default DB engine port to pass the check\n```", + "Other": "1. In the AWS Console, go to Amazon RDS > Databases\n2. Select the DB instance and click Modify\n3. Set \"Database port\" to a non-default value for the engine (e.g., not 3306, 5432, 1521, 1433, or 50000)\n4. Click Continue, then Modify DB instance", + "Terraform": "```hcl\n# Terraform: set a non-default port on an RDS instance\nresource \"aws_db_instance\" \"\" {\n port = # Critical: use a non-default DB engine port to pass the check\n}\n```" }, "Recommendation": { - "Text": "Modify the RDS instance to use a non-default port, and ensure that the security group permits access to the new port.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html" + "Text": "Use a **non-default DB port** and enforce **defense in depth**:\n- Apply **least-privilege** network rules\n- Keep databases in **private subnets**; avoid public exposure\n- Require strong authentication and audit logging\n\n*Update client connection strings and security rules when the port changes.*", + "Url": "https://hub.prowler.com/check/rds_instance_non_default_port" } }, "Categories": [], diff --git a/prowler/providers/aws/services/rds/rds_instance_protected_by_backup_plan/rds_instance_protected_by_backup_plan.metadata.json b/prowler/providers/aws/services/rds/rds_instance_protected_by_backup_plan/rds_instance_protected_by_backup_plan.metadata.json index 3b6a01e899..79b4a2ede2 100644 --- a/prowler/providers/aws/services/rds/rds_instance_protected_by_backup_plan/rds_instance_protected_by_backup_plan.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_protected_by_backup_plan/rds_instance_protected_by_backup_plan.metadata.json @@ -1,32 +1,40 @@ { "Provider": "aws", "CheckID": "rds_instance_protected_by_backup_plan", - "CheckTitle": "Check if RDS instances are protected by a backup plan.", + "CheckTitle": "RDS instance is protected by an AWS Backup plan", "CheckType": [ - "Software and Configuration Checks, AWS Security Best Practices" + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", + "Effects/Data Destruction" ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", - "Severity": "medium", + "ResourceIdTemplate": "", + "Severity": "high", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "Check if RDS instances are protected by a backup plan.", - "Risk": "Without a backup plan, RDS instances are vulnerable to data loss, accidental deletion, or corruption. This could lead to significant operational disruptions or loss of critical data.", - "RelatedUrl": "https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html", + "Description": "**RDS DB instances** (non-Aurora) are included in an **AWS Backup plan**, indicating scheduled backups and retention are applied to the resource.\n\n*Aurora engines are evaluated separately.*", + "Risk": "Without an **AWS Backup plan**, databases lack assured recovery, degrading **availability** and **integrity**. Likely outcomes: accidental deletion, corruption, or malicious wipes with no recent restore point. Expect missed `RPO/RTO`, extended outages, and data inconsistency after incidents.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-26" + ], "Remediation": { "Code": { - "CLI": "aws backup create-backup-plan --backup-plan , aws backup tag-resource --resource-arn --tags Key=backup,Value=true", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-26", - "Terraform": "" + "CLI": "aws backup create-backup-selection --backup-plan-id --backup-selection '{\"SelectionName\":\"\",\"IamRoleArn\":\"\",\"Resources\":[\"\"]}'", + "NativeIaC": "```yaml\n# CloudFormation: assign an RDS instance to an AWS Backup plan\nResources:\n :\n Type: AWS::Backup::BackupSelection\n Properties:\n BackupPlanId: # CRITICAL: targets the backup plan to protect the instance\n BackupSelection:\n SelectionName: \n IamRoleArn: # CRITICAL: role AWS Backup uses to back up the resource\n Resources:\n - # CRITICAL: assigns the RDS instance to the plan\n```", + "Other": "1. In the AWS Console, open AWS Backup\n2. Go to Settings > Service opt-in and enable Amazon RDS (if not already)\n3. Go to Backup plans and select an existing plan (or Create backup plan with defaults)\n4. Click Assign resources\n5. Enter a name, select an IAM role, and add the RDS instance (by ARN or resource picker)\n6. Click Assign resources to save", + "Terraform": "```hcl\n# Assign an RDS instance to an AWS Backup plan\nresource \"aws_backup_selection\" \"\" {\n name = \"\"\n plan_id = \"\" # CRITICAL: attaches to the backup plan\n iam_role_arn = \"\" # CRITICAL: role AWS Backup uses\n resources = [\"\"] # CRITICAL: RDS instance protected by the plan\n}\n```" }, "Recommendation": { - "Text": "Create a backup plan for the RDS instance to protect it from data loss, accidental deletion, or corruption.", - "Url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/assigning-resources.html" + "Text": "Assign all non-Aurora RDS to an **AWS Backup plan** aligned to business `RPO/RTO`. Use **tags** for automatic coverage, define retention and lifecycle, and store backups in **immutable** vaults where possible. Regularly perform restore tests. Enforce **least privilege** and **separation of duties** for backup administration.", + "Url": "https://hub.prowler.com/check/rds_instance_protected_by_backup_plan" } }, - "Categories": [], + "Categories": [ + "resilience" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_instance_storage_encrypted/rds_instance_storage_encrypted.metadata.json b/prowler/providers/aws/services/rds/rds_instance_storage_encrypted/rds_instance_storage_encrypted.metadata.json index 43d031fe1b..2125e64d1c 100644 --- a/prowler/providers/aws/services/rds/rds_instance_storage_encrypted/rds_instance_storage_encrypted.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_storage_encrypted/rds_instance_storage_encrypted.metadata.json @@ -1,30 +1,47 @@ { "Provider": "aws", "CheckID": "rds_instance_storage_encrypted", - "CheckTitle": "Check if RDS instances storage is encrypted.", - "CheckType": [], + "CheckTitle": "RDS DB instance storage is encrypted at rest", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)", + "Software and Configuration Checks/Industry and Regulatory Standards/NIST CSF Controls (USA)", + "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS", + "Software and Configuration Checks/Industry and Regulatory Standards/ISO 27001 Controls", + "Software and Configuration Checks/Industry and Regulatory Standards/HIPAA Controls (USA)", + "Software and Configuration Checks/Industry and Regulatory Standards/GDPR Controls (Europe)", + "Effects/Data Exposure" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", - "Severity": "medium", + "ResourceIdTemplate": "", + "Severity": "high", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "Check if RDS instances storage is encrypted.", - "Risk": "If not enabled sensitive information at rest is not protected.", - "RelatedUrl": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html", + "Description": "**RDS DB instances** are assessed for **KMS-based encryption at rest** (`StorageEncrypted=true`), covering instance storage and derived artifacts such as snapshots, automated backups, and read replicas.", + "Risk": "Without **encryption at rest**, database files, snapshots, and automated backups remain in plaintext. An attacker with access to copied snapshots, compromised backups, or underlying storage can read sensitive data, causing loss of **confidentiality** and enabling large-scale exfiltration.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-encryption-enabled.html", + "https://aws.amazon.com/blogs/storage/protecting-amazon-rds-db-instances-encrypted-using-kms-aws-managed-key-with-cross-account-and-cross-region-backups/", + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html" + ], "Remediation": { "Code": { - "CLI": "aws rds create-db-instance --db-instance-identifier --db-instance-class --engine --storage-encrypted true", - "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/general_4#cloudformation", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-encryption-enabled.html", - "Terraform": "https://docs.prowler.com/checks/aws/general-policies/general_4#terraform" + "CLI": "", + "NativeIaC": "```yaml\n# CloudFormation: create an encrypted RDS DB instance\nResources:\n :\n Type: AWS::RDS::DBInstance\n Properties:\n DBInstanceClass: \"\"\n Engine: \"\"\n AllocatedStorage: 20\n MasterUsername: \"\"\n MasterUserPassword: \"\"\n StorageEncrypted: true # CRITICAL: enables encryption at rest so the instance passes the check\n```", + "Other": "1. In the AWS Console, go to RDS > Databases, select the unencrypted DB instance, then choose Actions > Take snapshot.\n2. After the snapshot is available, go to Snapshots, select it, choose Actions > Copy snapshot, enable encryption, and select a KMS key (or aws/rds).\n3. When the encrypted copy is ready, select it and choose Actions > Restore snapshot to create a new (encrypted) DB instance.\n4. Update your application/endpoint to use the new encrypted DB instance.\n5. Decommission the old unencrypted instance after cutover.", + "Terraform": "```hcl\n# Terraform: create an encrypted RDS DB instance\nresource \"aws_db_instance\" \"\" {\n engine = \"\"\n instance_class = \"\"\n username = \"\"\n password = \"\"\n allocated_storage = 20\n\n storage_encrypted = true # CRITICAL: enables encryption at rest to pass the check\n}\n```" }, "Recommendation": { - "Text": "Enable Encryption. Use a CMK where possible. It will provide additional management and privacy benefits.", - "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html" + "Text": "Enable **encryption at rest** for all RDS instances. Prefer **customer-managed KMS keys** to control rotation and fine-grained access, applying **least privilege** and **defense in depth**. Restrict key usage, monitor key activity, and manage key lifecycle. Migrate unencrypted instances via encrypted snapshot copy and restore.", + "Url": "https://hub.prowler.com/check/rds_instance_storage_encrypted" } }, - "Categories": [], + "Categories": [ + "encryption" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/aws/services/rds/rds_instance_transport_encrypted/rds_instance_transport_encrypted.metadata.json b/prowler/providers/aws/services/rds/rds_instance_transport_encrypted/rds_instance_transport_encrypted.metadata.json index 2180bc1b1c..38320956a2 100644 --- a/prowler/providers/aws/services/rds/rds_instance_transport_encrypted/rds_instance_transport_encrypted.metadata.json +++ b/prowler/providers/aws/services/rds/rds_instance_transport_encrypted/rds_instance_transport_encrypted.metadata.json @@ -1,27 +1,34 @@ { "Provider": "aws", "CheckID": "rds_instance_transport_encrypted", - "CheckTitle": "Check if RDS instances enforce SSL/TLS encryption for client connections (Microsoft SQL Server, PostgreSQL, MySQL, MariaDB, Aurora PostgreSQL, and Aurora MySQL).", - "CheckType": [], + "CheckTitle": "RDS instance or cluster enforces SSL/TLS encryption for client connections", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices/Network Security" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:db-instance", + "ResourceIdTemplate": "", "Severity": "high", "ResourceType": "AwsRdsDbInstance", "ResourceGroup": "database", - "Description": "For SQL Server, PostgreSQL, and Aurora PostgreSQL databases, if the `rds.force_ssl` parameter value is set to 0, SSL/TLS connections are not enforced. For MySQL, Aurora MySQL, and MariaDB databases, if the `require_secure_transport` parameter value is set to OFF, SSL/TLS connections are not enforced. Enforcing SSL/TLS ensures that all client connections to RDS instances are encrypted, protecting sensitive information in transit.", - "Risk": "If not enabled, sensitive information in transit is not protected.", - "RelatedUrl": "https://aws.amazon.com/premiumsupport/knowledge-center/rds-connect-ssl-connection/", + "Description": "**RDS DB instances** and **DB clusters** enforce **SSL/TLS** for client connections via parameter groups. The check looks for `rds.force_ssl=1` (PostgreSQL, SQL Server) or `require_secure_transport` enabled (MySQL-family) and identifies databases where encryption enforcement isn't active.", + "Risk": "Without enforced **TLS**, clients can connect or downgrade to plaintext, exposing credentials and queries to interception. Adversaries can perform **MITM**, steal secrets, and tamper traffic, undermining **confidentiality** and **integrity** and enabling reuse of captured database credentials.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://aws.amazon.com/premiumsupport/knowledge-center/rds-connect-ssl-connection/", + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html", + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/transport-encryption.html" + ], "Remediation": { "Code": { "CLI": "aws rds modify-db-parameter-group --region --db-parameter-group-name --parameters ParameterName='rds.force_ssl',ParameterValue='1',ApplyMethod='pending-reboot'", - "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/transport-encryption.html", - "Terraform": "" + "NativeIaC": "```yaml\n# CloudFormation: set required parameter to enforce SSL/TLS\nResources:\n ExampleDBParameterGroupPostgres:\n Type: AWS::RDS::DBParameterGroup\n Properties:\n Family: \n Description: Enforce SSL/TLS\n Parameters:\n rds.force_ssl: \"1\" # Critical: requires SSL/TLS for PostgreSQL/SQL Server instances\n\n ExampleDBParameterGroupMySQL:\n Type: AWS::RDS::DBParameterGroup\n Properties:\n Family: \n Description: Enforce SSL/TLS\n Parameters:\n require_secure_transport: \"1\" # Critical: requires SSL/TLS for MySQL/MariaDB instances\n\n ExampleDBClusterParameterGroupAuroraPostgres:\n Type: AWS::RDS::DBClusterParameterGroup\n Properties:\n Family: \n Description: Enforce SSL/TLS\n Parameters:\n rds.force_ssl: \"1\" # Critical: requires SSL/TLS for Aurora PostgreSQL clusters\n\n ExampleDBClusterParameterGroupAuroraMySQL:\n Type: AWS::RDS::DBClusterParameterGroup\n Properties:\n Family: \n Description: Enforce SSL/TLS\n Parameters:\n require_secure_transport: ON # Critical: requires SSL/TLS for Aurora MySQL clusters\n```", + "Other": "1. In the AWS Console, go to RDS > Parameter groups\n2. For DB instances:\n - Edit the DB parameter group attached to the instance (or create one and attach it)\n - Set rds.force_ssl = 1 for PostgreSQL/SQL Server, or require_secure_transport = 1 for MySQL/MariaDB\n - Save. If the parameter is static, reboot the instance\n3. For Aurora clusters:\n - Edit the DB cluster parameter group attached to the cluster (or create one and attach it)\n - Set rds.force_ssl = 1 for Aurora PostgreSQL, or require_secure_transport = ON for Aurora MySQL\n - Save. Reboot instances if changes are pending-reboot\n4. Verify the parameter group is associated to the target instance/cluster and status shows the new value applied", + "Terraform": "```hcl\n# DB instances\nresource \"aws_db_parameter_group\" \"example_pg\" {\n name = \"\"\n family = \"\"\n\n parameter {\n name = \"rds.force_ssl\"\n value = \"1\" # Critical: requires SSL/TLS for PostgreSQL/SQL Server instances\n }\n}\n\nresource \"aws_db_parameter_group\" \"example_mysql\" {\n name = \"\"\n family = \"\"\n\n parameter {\n name = \"require_secure_transport\"\n value = \"1\" # Critical: requires SSL/TLS for MySQL/MariaDB instances\n }\n}\n\n# Aurora clusters\nresource \"aws_rds_cluster_parameter_group\" \"example_aurora_pg\" {\n name = \"\"\n family = \"\"\n\n parameter {\n name = \"rds.force_ssl\"\n value = \"1\" # Critical: requires SSL/TLS for Aurora PostgreSQL clusters\n }\n}\n\nresource \"aws_rds_cluster_parameter_group\" \"example_aurora_mysql\" {\n name = \"\"\n family = \"\"\n\n parameter {\n name = \"require_secure_transport\"\n value = \"ON\" # Critical: requires SSL/TLS for Aurora MySQL clusters\n }\n}\n```" }, "Recommendation": { - "Text": "Ensure that instances provisioned with Amazon RDS enforce SSL/TLS for client connections to meet security and compliance requirements.", - "Url": "https://aws.amazon.com/premiumsupport/knowledge-center/rds-connect-ssl-connection/" + "Text": "Enforce transport encryption at the database layer:\n- Enable `rds.force_ssl=1` or `require_secure_transport` in parameter groups\n- Configure clients to require certificate validation and prevent fallback\n- Use current TLS versions and trusted CAs\n- Prefer private network access as **defense in depth**", + "Url": "https://hub.prowler.com/check/rds_instance_transport_encrypted" } }, "Categories": [ diff --git a/prowler/providers/aws/services/rds/rds_snapshots_encrypted/rds_snapshots_encrypted.metadata.json b/prowler/providers/aws/services/rds/rds_snapshots_encrypted/rds_snapshots_encrypted.metadata.json index 9693c841b0..5123981aff 100644 --- a/prowler/providers/aws/services/rds/rds_snapshots_encrypted/rds_snapshots_encrypted.metadata.json +++ b/prowler/providers/aws/services/rds/rds_snapshots_encrypted/rds_snapshots_encrypted.metadata.json @@ -1,27 +1,36 @@ { "Provider": "aws", "CheckID": "rds_snapshots_encrypted", - "CheckTitle": "Check if RDS Snapshots and Cluster Snapshots are encrypted.", - "CheckType": [], + "CheckTitle": "RDS DB instance snapshot or DB cluster snapshot is encrypted", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark", + "Effects/Data Exposure" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:snapshot", - "Severity": "medium", + "ResourceIdTemplate": "", + "Severity": "high", "ResourceType": "AwsRdsDbSnapshot", "ResourceGroup": "database", - "Description": "Check if RDS Snapshots and Cluster Snapshots are encrypted.", - "Risk": "Ensure that your manual Amazon RDS database snapshots are encrypted in order to achieve compliance for data-at-rest encryption within your organization.", - "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-4", + "Description": "**RDS DB snapshots** and **DB cluster snapshots** are evaluated for **encryption at rest**, identifying snapshots created with a KMS key versus unencrypted ones.", + "Risk": "Unencrypted snapshots enable direct access to full database data if backups are leaked, cross-account shared, or stolen. Adversaries can harvest data offline, bypassing network controls, leading to **loss of confidentiality**. Restores from such snapshots propagate the exposure to new instances.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/snapshot-encrypted.html#", + "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-4" + ], "Remediation": { "Code": { - "CLI": "", - "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/snapshot-encrypted.html#", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/snapshot-encrypted.html#", - "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/snapshot-encrypted.html#" + "CLI": "aws rds copy-db-snapshot --source-db-snapshot-identifier --target-db-snapshot-identifier -encrypted --kms-key-id ", + "NativeIaC": "", + "Other": "1. In the AWS Console, go to RDS > Snapshots\n2. Select the unencrypted snapshot (for clusters, use the DB cluster snapshots tab)\n3. Click Actions > Copy snapshot\n4. Check Enable encryption and choose a KMS key\n5. Click Copy snapshot and wait for completion\n6. After verifying the new encrypted snapshot, delete the original unencrypted snapshot (Actions > Delete snapshot)", + "Terraform": "```hcl\nresource \"aws_db_snapshot_copy\" \"\" {\n source_db_snapshot_identifier = \"\"\n target_db_snapshot_identifier = \"-encrypted\"\n kms_key_id = \"\" # Critical: encrypts the copied snapshot using the specified KMS key\n}\n```" }, "Recommendation": { - "Text": "When working with production databases that hold sensitive and critical data, it is strongly recommended to implement encryption at rest and protect your data from attackers or unauthorized personnel. ", - "Url": "https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-4" + "Text": "Encrypt all RDS snapshots at rest using **KMS**, preferably **customer-managed keys**. Apply **least privilege** to key usage, enforce encryption via templates and automation, and prevent sharing of unencrypted backups. Use **key rotation**, separation of duties, and ensure copies and cross-account shares remain encrypted.", + "Url": "https://hub.prowler.com/check/rds_snapshots_encrypted" } }, "Categories": [ diff --git a/prowler/providers/aws/services/rds/rds_snapshots_public_access/rds_snapshots_public_access.metadata.json b/prowler/providers/aws/services/rds/rds_snapshots_public_access/rds_snapshots_public_access.metadata.json index be565e27cb..19c0fbc838 100644 --- a/prowler/providers/aws/services/rds/rds_snapshots_public_access/rds_snapshots_public_access.metadata.json +++ b/prowler/providers/aws/services/rds/rds_snapshots_public_access/rds_snapshots_public_access.metadata.json @@ -1,27 +1,37 @@ { "Provider": "aws", "CheckID": "rds_snapshots_public_access", - "CheckTitle": "Check if RDS Snapshots and Cluster Snapshots are public.", - "CheckType": [], + "CheckTitle": "RDS snapshot is not publicly shared", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", + "Effects/Data Exposure", + "TTPs/Collection" + ], "ServiceName": "rds", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:rds:region:account-id:snapshot", + "ResourceIdTemplate": "", "Severity": "critical", "ResourceType": "AwsRdsDbSnapshot", "ResourceGroup": "database", - "Description": "Check if RDS Snapshots and Cluster Snapshots are public.", - "Risk": "Publicly accessible services could expose sensitive data to bad actors. t is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public, then the data which is backed up in that snapshot is accessible to all other AWS accounts.", - "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html", + "Description": "**RDS DB snapshots** and **DB cluster snapshots** with **public visibility** (shared with `all` AWS accounts) are detected.\n\nSnapshots limited to specific accounts or kept private are identified as restricted.", + "Risk": "Public RDS snapshots expose full database copies to all AWS accounts, risking:\n- Loss of confidentiality via data exfiltration (PII, secrets)\n- Offline cracking of hashes and schema reconnaissance\n- Credential harvesting from dumps enabling lateral movement\nThis directly compromises confidentiality and fuels targeted attacks.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/public-snapshots.html", + "https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html", + "https://support.icompaas.com/support/solutions/articles/62000127056-ensure-rds-snapshots-and-cluster-snapshots-are-not-public" + ], "Remediation": { "Code": { "CLI": "aws rds modify-db-snapshot-attribute --db-snapshot-identifier --attribute-name restore --values-to-remove all", "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/public-snapshots.html", + "Other": "1. Open the Amazon RDS console and go to Snapshots\n2. Select the public snapshot (DB snapshot or DB cluster snapshot)\n3. Click Actions > Share snapshot\n4. Set visibility to Private (remove \"All\" from permissions) and click Save", "Terraform": "" }, "Recommendation": { - "Text": "Use AWS Config to identify any snapshot that is public.", - "Url": "https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html" + "Text": "Keep **RDS snapshots** and **cluster snapshots** private. Share only with explicit AWS account IDs using **least privilege** and time-bound access.\n\nEnforce guardrails to block `public` visibility, require approvals for sharing, and audit snapshot permissions. Use encryption with strict key policies to control who can restore data.", + "Url": "https://hub.prowler.com/check/rds_snapshots_public_access" } }, "Categories": [