Table: aws_rds_instances

This table shows data for Amazon Relational Database Service (RDS) Instances.

https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DBInstance.html (opens in a new tab)

The primary key for this table is arn.

Columns

NameType
_cq_iduuid
_cq_parent_iduuid
account_idutf8
regionutf8
arn (PK)utf8
processor_featuresjson
tagsjson
activity_stream_engine_native_audit_fields_includedbool
activity_stream_kinesis_stream_nameutf8
activity_stream_kms_key_idutf8
activity_stream_modeutf8
activity_stream_policy_statusutf8
activity_stream_statusutf8
allocated_storageint64
associated_rolesjson
auto_minor_version_upgradebool
automatic_restart_timetimestamp[us, tz=UTC]
automation_modeutf8
availability_zoneutf8
aws_backup_recovery_point_arnutf8
backup_retention_periodint64
backup_targetutf8
ca_certificate_identifierutf8
certificate_detailsjson
character_set_nameutf8
copy_tags_to_snapshotbool
custom_iam_instance_profileutf8
customer_owned_ip_enabledbool
db_cluster_identifierutf8
db_instance_arnutf8
db_instance_automated_backups_replicationsjson
db_instance_classutf8
db_instance_identifierutf8
db_instance_statusutf8
db_nameutf8
db_parameter_groupsjson
db_security_groupsjson
db_subnet_groupjson
db_system_idutf8
db_instance_portint64
dbi_resource_idutf8
deletion_protectionbool
domain_membershipsjson
enabled_cloudwatch_logs_exportslist<item: utf8, nullable>
endpointjson
engineutf8
engine_versionutf8
enhanced_monitoring_resource_arnutf8
iam_database_authentication_enabledbool
instance_create_timetimestamp[us, tz=UTC]
iopsint64
kms_key_idutf8
latest_restorable_timetimestamp[us, tz=UTC]
license_modelutf8
listener_endpointjson
master_user_secretjson
master_usernameutf8
max_allocated_storageint64
monitoring_intervalint64
monitoring_role_arnutf8
multi_azbool
nchar_character_set_nameutf8
network_typeutf8
option_group_membershipsjson
pending_modified_valuesjson
percent_progressutf8
performance_insights_enabledbool
performance_insights_kms_key_idutf8
performance_insights_retention_periodint64
preferred_backup_windowutf8
preferred_maintenance_windowutf8
promotion_tierint64
publicly_accessiblebool
read_replica_db_cluster_identifierslist<item: utf8, nullable>
read_replica_db_instance_identifierslist<item: utf8, nullable>
read_replica_source_db_cluster_identifierutf8
read_replica_source_db_instance_identifierutf8
replica_modeutf8
resume_full_automation_mode_timetimestamp[us, tz=UTC]
secondary_availability_zoneutf8
status_infosjson
storage_encryptedbool
storage_throughputint64
storage_typeutf8
tde_credential_arnutf8
timezoneutf8
vpc_security_groupsjson

Example Queries

These SQL queries are sampled from CloudQuery policies and are compatible with PostgreSQL.

Database logging should be enabled

SELECT
  'Database logging should be enabled' AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN enabled_cloudwatch_logs_exports IS NULL
  OR (
      engine IN ('aurora', 'aurora-mysql', 'mariadb', 'mysql')
      AND NOT
          (enabled_cloudwatch_logs_exports @> '{audit,error,general,slowquery}')
    )
  OR (
      engine LIKE '%postgres%'
      AND NOT (enabled_cloudwatch_logs_exports @> '{postgresql,upgrade}')
    )
  OR (
      engine LIKE '%oracle%'
      AND NOT
          (enabled_cloudwatch_logs_exports @> '{alert,audit,trace,listener}')
    )
  OR (
      engine LIKE '%sqlserver%'
      AND NOT (enabled_cloudwatch_logs_exports @> '{error,agent}')
    )
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_rds_instances;

Enhanced monitoring should be configured for RDS DB instances and clusters

SELECT
  'Enhanced monitoring should be configured for RDS DB instances and clusters'
    AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN enhanced_monitoring_resource_arn IS NULL THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_rds_instances;

IAM authentication should be configured for RDS instances

SELECT
  'IAM authentication should be configured for RDS instances' AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN iam_database_authentication_enabled IS NOT true THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_rds_instances;

RDS automatic minor version upgrades should be enabled

SELECT
  'RDS automatic minor version upgrades should be enabled' AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN auto_minor_version_upgrade IS NOT true THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_rds_instances;

RDS databases and clusters should not use a database engine default port

(
  SELECT
    'RDS databases and clusters should not use a database engine default port'
      AS title,
    account_id,
    arn AS resource_id,
    CASE
    WHEN (engine IN ('aurora', 'aurora-mysql', 'mysql') AND port = 3306)
    OR (engine LIKE '%postgres%' AND port = 5432)
    THEN 'fail'
    ELSE 'pass'
    END
      AS status
  FROM
    aws_rds_clusters
)
UNION
  (
    SELECT
      'RDS databases and clusters should not use a database engine default port'
        AS title,
      account_id,
      arn AS resource_id,
      CASE
      WHEN (
        engine IN ('aurora', 'aurora-mysql', 'mariadb', 'mysql')
        AND (endpoint->>'Port')::INT8 = 3306
      )
      OR (engine LIKE '%postgres%' AND (endpoint->>'Port')::INT8 = 5432)
      OR (engine LIKE '%oracle%' AND (endpoint->>'Port')::INT8 = 1521)
      OR (engine LIKE '%sqlserver%' AND (endpoint->>'Port')::INT8 = 1433)
      THEN 'fail'
      ELSE 'pass'
      END
        AS status
    FROM
      aws_rds_instances
  );

RDS DB instances should be configured to copy tags to snapshots

SELECT
  'RDS DB instances should be configured to copy tags to snapshots' AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN copy_tags_to_snapshot IS NOT true THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_rds_instances;

RDS DB instances should be configured with multiple Availability Zones

SELECT
  'RDS DB instances should be configured with multiple Availability Zones'
    AS title,
  account_id,
  arn AS resource_id,
  CASE WHEN multi_az IS NOT true THEN 'fail' ELSE 'pass' END AS status
FROM
  aws_rds_instances;

RDS DB instances should have deletion protection enabled

SELECT
  'RDS DB instances should have deletion protection enabled' AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN deletion_protection IS NOT true THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_rds_instances;

RDS DB instances should have encryption at rest enabled

SELECT
  'RDS DB instances should have encryption at rest enabled' AS title,
  account_id,
  arn AS resource_id,
  CASE WHEN storage_encrypted IS NOT true THEN 'fail' ELSE 'pass' END AS status
FROM
  aws_rds_instances;

RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration

SELECT
  'RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration'
    AS title,
  account_id,
  arn AS resource_id,
  CASE WHEN publicly_accessible IS true THEN 'fail' ELSE 'pass' END AS status
FROM
  aws_rds_instances;

An RDS event notifications subscription should be configured for critical database instance events

WITH
  any_category
    AS (
      SELECT
        DISTINCT true AS any_category
      FROM
        aws_rds_event_subscriptions
      WHERE
        (source_type IS NULL OR source_type = 'db-instance')
        AND event_categories_list IS NULL
    ),
  any_source_id
    AS (
      SELECT
        COALESCE(array_agg(category), '{}'::STRING[]) AS any_source_categories
      FROM
        aws_rds_event_subscriptions, unnest(event_categories_list) AS category
      WHERE
        source_type = 'db-instance' AND event_categories_list IS NOT NULL
    ),
  specific_categories
    AS (
      SELECT
        source_id, array_agg(category) AS specific_cats
      FROM
        aws_rds_event_subscriptions,
        unnest(source_ids_list) AS source_id,
        unnest(event_categories_list) AS category
      WHERE
        source_type = 'db-instance'
      GROUP BY
        source_id
    )
SELECT
  'An RDS event notifications subscription should be configured for critical database instance events'
    AS title,
  aws_rds_instances.account_id,
  aws_rds_instances.arn AS resource_id,
  CASE
  WHEN any_category IS NOT true
  AND NOT
      (
        any_source_categories
        @> '{"maintenance","configuration change","failure"}'
      )
  AND (
      specific_cats IS NULL
      OR NOT
          (specific_cats @> '{"maintenance","configuration change","failure"}')
    )
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_rds_instances
  LEFT JOIN any_category ON true
  INNER JOIN any_source_id ON true
  LEFT JOIN specific_categories ON
      db_instance_identifier = specific_categories.source_id;

RDS instances should be deployed in a VPC

SELECT
  'RDS instances should be deployed in a VPC' AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN (db_subnet_group->>'VpcId') IS NULL THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_rds_instances;