[RDS.6]
Enhanced monitoring should be configured for RDS DB instances and clusters
Description
All RDS DB instances must be publicly accessible. A publicly accessible database instance has a publicly resolvable DNS which resolves to a public IP Address. However, unless required, instances must be private to prevent unnecessary traffic to the database. This rule is COMPLIANT when an instance is not publicly accessible.
Details
| Property | Value |
|---|---|
| Category | Detect > Detection services |
| Compliance Control ID | RDS.6 |
| FortifyFox ID | FF100034 |
| Link | RDS.6 Compliance |
| Resource Type(s) | AWS::RDS::DBInstance |
| Severity | Low |
Remediation
Use the following CloudFormation templates to deploy a RDS DB Instance compliant with RDS.6
YAML Template
Resources:
rdsDB:
Type: "AWS::RDS::DBInstance"
Properties:
MonitoringInterval: "60"
MonitoringRoleArn: YOUR_ROLE_ARN
JSON Template
{
"Resources": {
"rdsDB": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"MonitoringInterval": 60,
"MonitoringRoleArn": "YOUR_ROLE_ARN"
}
}
}
}
You must replace YOUR_ROLE_ARN with the ARN of your RDS enhanced monitoring role. You can replace “60” with your desired interval in seconds.
📓 Notes
- You must have created an IAM Role with policy to allow RDS enhanced monitoring.