in src/packs/nist-800-53-r4.ts [623:688]
private checkRDS(node: CfnResource): void {
this.applyRule({
info: 'The RDS DB instance does not enhanced monitoring enabled - (Control ID: CA-7(a)(b)).',
explanation:
'Enable enhanced monitoring to help monitor Amazon RDS availability. This provides detailed visibility into the health of your Amazon RDS database instances.',
level: NagMessageLevel.ERROR,
rule: RDSEnhancedMonitoringEnabled,
node: node,
});
this.applyRule({
info: 'The RDS DB instance is not in an AWS Backup plan - (Control IDs: CP-9(b), CP-10, SI-12).',
explanation:
'To help with data back-up processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.',
level: NagMessageLevel.ERROR,
rule: RDSInBackupPlan,
node: node,
});
this.applyRule({
info: 'The RDS DB instance does not have backups enabled - (Control IDs: CP-9(b), CP-10, SI-12).',
explanation:
'The backup feature of Amazon RDS creates backups of your databases and transaction logs.',
level: NagMessageLevel.ERROR,
rule: RDSInstanceBackupEnabled,
node: node,
});
this.applyRule({
info: 'The RDS DB instance or Aurora DB cluster does not have deletion protection enabled - (Control ID: SC-5).',
explanation:
'Ensure Amazon Relational Database Service (Amazon RDS) instances and clusters have deletion protection enabled. Use deletion protection to prevent your Amazon RDS DB instances and clusters from being accidentally or maliciously deleted, which can lead to loss of availability for your applications.',
level: NagMessageLevel.ERROR,
rule: RDSInstanceDeletionProtectionEnabled,
node: node,
});
this.applyRule({
info: 'The RDS DB instance allows public access - (Control IDs: AC-4, AC-6, AC-21(b), SC-7, SC-7(3)).',
explanation:
'Amazon RDS database instances can contain sensitive information, and principles and access control is required for such accounts.',
level: NagMessageLevel.ERROR,
rule: RDSInstancePublicAccess,
node: node,
});
this.applyRule({
info: 'The RDS DB instance does not have all CloudWatch log types exported - (Control IDs: AC-2(4), AC-2(g), AU-2(a)(d), AU-3, AU-12(a)(c)).',
explanation:
'To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled. With Amazon RDS logging, you can capture events such as connections, disconnections, queries, or tables queried.',
level: NagMessageLevel.ERROR,
rule: RDSLoggingEnabled,
node: node,
});
this.applyRule({
info: 'The non-Aurora RDS DB instance does not have multi-AZ support enabled - (Control IDs: CP-10, SC-5, SC-36).',
explanation:
'Multi-AZ support in Amazon Relational Database Service (Amazon RDS) provides enhanced availability and durability for database instances. When you provision a Multi-AZ database instance, Amazon RDS automatically creates a primary database instance, and synchronously replicates the data to a standby instance in a different Availability Zone. In case of an infrastructure failure, Amazon RDS performs an automatic failover to the standby so that you can resume database operations as soon as the failover is complete.',
level: NagMessageLevel.ERROR,
rule: RDSMultiAZSupport,
node: node,
});
this.applyRule({
info: 'The RDS DB instance or Aurora DB cluster does not have storage encrypted - (Control IDs: SC-13, SC-28).',
explanation:
'Because sensitive data can exist at rest in Amazon RDS DB instances and clusters, enable encryption at rest to help protect that data.',
level: NagMessageLevel.ERROR,
rule: RDSStorageEncrypted,
node: node,
});
}