Skip to main content

πŸ›‘οΈ AWS GuardDuty Detector RDS Protection is not enabled🟒

  • Contextual name: πŸ›‘οΈ Detector RDS Protection is not enabled🟒
  • ID: /ce/ca/aws/guardduty/detector-rds-protection
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS GuardDuty Detectors that do not have RDS Protection enabled.

RDS Protection in Amazon GuardDuty analyzes and profiles login activity for potential access threats to your Amazon Aurora databases (MySQL- and PostgreSQL-compatible editions) and Amazon RDS for PostgreSQL instances.

Rationale​

GuardDuty RDS Protection monitors and analyzes RDS login activity to detect potential threats. It identifies suspicious login behaviors, such as an unusually high number of failed login attempts or successful logins from unfamiliar locations or known malicious IP addresses.

Impact​

Charges for GuardDuty RDS Protection are based on the number of protected RDS provisioned instance vCPUs per month.

Audit​

This policy flags an AWS GuardDuty Detector as INCOMPLIANT if the RDS_LOGIN_EVENTS Feature is not set to ENABLED.

Remediation​

Open File

Remediation​

Enable RDS Protection​

For Multi-Account Environments​

In a multi-account environment, only the delegated GuardDuty administrator account can enable or disable RDS Protection for member accounts. Member accounts cannot modify this configuration directly.

From Command Line​
aws guardduty update-member-detectors \
    --detector-id {{detector-id}} \
    --account-ids {{account-id1}} {{account-id2}} \
    --region {{region}} \
    --features 'Name=RDS_LOGIN_EVENTS,Status=ENABLED'

The delegated administrator can also automatically enable RDS Protection for all and new accounts as they join the organization.

aws guardduty update-organization-configuration \
    --detector-id {{detector-id}} \
    --region {{region}} \
    --features 'Name=RDS_LOGIN_EVENTS,AutoEnable={{NEW | ALL}}'
For a Standalone Account​

If your account is not associated with a delegated GuardDuty administrator via AWS Organizations, enable RDS Protection directly:

aws guardduty update-detector \
    --detector-id {{detector-id}} \

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [GuardDuty.9] GuardDuty RDS Protection should be enabled1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Threat Protection36no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network.113no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.113no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.13no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.6.1 A change- and tamper-detection mechanism is deployed.13no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.1813no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.813no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 11.6.1 A change- and tamper-detection mechanism is deployed.13no data