Determine if the RDS database instances provisioned in your AWS account (including Read Replicas for Multi-AZ deployments) have the desired instance types established by your organization based on the database workload deployed. Cloud Conformity provides you with the ability to define the desired database instance type based on your workload requirements upon enabling this rule.
This rule can help you with the following compliance standards:
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Setting limits for the type of Amazon RDS instances provisioned in your AWS account will help you address internal compliance requirements and prevent unexpected charges on your AWS bill.
Note 1: You can also limit your RDS database instances to the desired instance type using AWS Organizations service by implementing your own Service Control Policy on the master account. A Service Control Policy (SCP) is a type of policy that you can use to manage your organization. SCPs enable you to restrict what resources, services and actions the users, groups, and roles in those AWS accounts can use.
Note 2: The desired RDS database instance type used as example in this rule is db.m4.large. To meet your own organizational requirements, you will need to configure this rule with your desired instance types.
Audit
To determine if the RDS instances launched within your AWS account have the desired instance type, perform the following:
Remediation / Resolution
To limit the new RDS database instances to the desired instance type, raise an AWS support case where you explain why you need this type of limitation. For any existing RDS instances launched without using the desired instance type, just update their configuration by changing the DB Instance Class config parameter to the desired instance type (e.g. ).
To create the necessary AWS support case, perform the following actions:
References
- AWS Documentation
- Amazon RDS FAQs
- Amazon RDS DB Instances
- DB Instance Class
- Service Control Policies
- AWS Command Line Interface (CLI) Documentation
- rds
- describe-db-instances
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
RDS Desired Instance Type
Risk Level: Medium