Use the Conformity Knowledge Base AI to help improve your Cloud Posture

RDS Desired Instance Type

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: RDS-025

Determine if the RDS database instances provisioned in your AWS account (including Read Replicas for Multi-AZ deployments) have the desired instance types established by your organization based on the database workload deployed. Cloud Conformity provides you with the ability to define the desired database instance type based on your workload requirements upon enabling this rule.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

Setting limits for the type of Amazon RDS instances provisioned in your AWS account will help you address internal compliance requirements and prevent unexpected charges on your AWS bill.

Note 1: You can also limit your RDS database instances to the desired instance type using AWS Organizations service by implementing your own Service Control Policy on the master account. A Service Control Policy (SCP) is a type of policy that you can use to manage your organization. SCPs enable you to restrict what resources, services and actions the users, groups, and roles in those AWS accounts can use.
Note 2: The desired RDS database instance type used as example in this rule is db.m4.large. To meet your own organizational requirements, you will need to configure this rule with your desired instance types.


Audit

To determine if the RDS instances launched within your AWS account have the desired instance type, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under RDS Dashboard section, choose Instances.

04 Select All instances option from the Filter dropdown list to return the list with all RDS instances, including Read Replicas, provisioned within the selected region.

05 Check the class (type) value for each RDS database instance available in the current AWS region, listed in the Class column, e.g.

RDS Class

If the value (i.e. instance type) listed in the Class column is not the same for all provisioned RDS resources, the RDS database instances available in the current region were not launched using the desired type, therefore you must take action and create an AWS support case to limit RDS instance provision only to the desired/required instance type (see Remediation/Resolution section).

06 Change the AWS region from the navigation bar and repeat step no. 4 and 5 for all other regions.

Using AWS CLI

01 Run describe-db-instance command (OSX/Linux/UNIX) using custom query filters to list the class (type) of the RDS database instances currently available in the selected region:

aws rds describe-db-instances
	--region us-east-1
	--output table
	--query 'DBInstances[*].DBInstanceClass'

02 The command output should return a table with the requested RDS instance type(s):

---------------------
|DescribeDBInstances|
+-------------------+
|   db.m3.medium    |
|   db.m3.medium    |
|   db.t2.micro     |
+-------------------+

If the value (i.e. instance type) listed in the command output is not the same for all existing instances, the RDS database instances available in the current region were not created using the desired type, therefore you must take action and raise an AWS support case to limit RDS instance creation only to the required instance type.

03 Repeat step no. 1 and 2 to perform the audit process for all other AWS regions.

Remediation / Resolution

To limit the new RDS database instances to the desired instance type, raise an AWS support case where you explain why you need this type of limitation. For any existing RDS instances launched without using the desired instance type, just update their configuration by changing the DB Instance Class config parameter to the desired instance type (e.g. RDS DB Instance Class).
To create the necessary AWS support case, perform the following actions:

Note: Creating a support case to request the necessary limitation using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center dashboard at https://console.aws.amazon.com/support/.

03 On the Create Case support page, perform the following:

  1. Under Regarding, select Account and Billing Support.
  2. Choose Other Account Issues from the Category dropdown list.
  3. In the Subject field, enter the request subject, e.g. "Limit RDS database instances launch to a desired class/type".
  4. In the Description textbox, enter a brief description where you explain why you need to limit the provisioning of RDS instances to a specific class so that AWS support can evaluate your case promptly.
  5. From Supported Language, choose your preferred correspondence language for the current case.
  6. Under Contact method, select a preferred contact method that AWS support team can use to respond to your request.
  7. Click Submit to send the limit request to Amazon Web Services. A customer support representative will contact you shortly.

References

Publication date Sep 13, 2017