AWS Security ChangesHomeSearch

AWS securityhub high security documentation change

Service: securityhub · 2025-04-16 · Security-related high

File: securityhub/latest/userguide/rds-controls.md

Summary

Added new controls RDS.41 (SQL Server encryption in transit), RDS.42 (MariaDB logs to CloudWatch), RDS.46 (prevent RDS in public subnets with IGW routes). Updated parameter constraints for requiredTagKeys to maximum 6 items. Consolidated introductory text.

Security assessment

New controls RDS.41, RDS.42, and RDS.46 address encryption in transit, logging, and network security. RDS.46 specifically mitigates critical exposure risks by preventing RDS instances in public subnets with internet access. Other changes are non-security related documentation updates.

Diff

diff --git a/securityhub/latest/userguide/rds-controls.md b/securityhub/latest/userguide/rds-controls.md
index 3b8217435..2e763893b 100644
--- a//securityhub/latest/userguide/rds-controls.md
+++ b//securityhub/latest/userguide/rds-controls.md
@@ -5 +5 @@
-[RDS.1] RDS snapshot should be private[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration[RDS.3] RDS DB instances should have encryption at-rest enabled[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest[RDS.5] RDS DB instances should be configured with multiple Availability Zones[RDS.6] Enhanced monitoring should be configured for RDS DB instances[RDS.7] RDS clusters should have deletion protection enabled[RDS.8] RDS DB instances should have deletion protection enabled[RDS.9] RDS DB instances should publish logs to CloudWatch Logs[RDS.10] IAM authentication should be configured for RDS instances[RDS.11] RDS instances should have automatic backups enabled[RDS.12] IAM authentication should be configured for RDS clusters[RDS.13] RDS automatic minor version upgrades should be enabled[RDS.14] Amazon Aurora clusters should have backtracking enabled[RDS.15] RDS DB clusters should be configured for multiple Availability Zones[RDS.16] RDS DB clusters should be configured to copy tags to snapshots[RDS.17] RDS DB instances should be configured to copy tags to snapshots[RDS.18] RDS instances should be deployed in a VPC[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events[RDS.22] An RDS event notifications subscription should be configured for critical database security group events[RDS.23] RDS instances should not use a database engine default port[RDS.24] RDS Database clusters should use a custom administrator username[RDS.25] RDS database instances should use a custom administrator username[RDS.26] RDS DB instances should be protected by a backup plan[RDS.27] RDS DB clusters should be encrypted at rest[RDS.28] RDS DB clusters should be tagged[RDS.29] RDS DB cluster snapshots should be tagged[RDS.30] RDS DB instances should be tagged[RDS.31] RDS DB security groups should be tagged[RDS.32] RDS DB snapshots should be tagged[RDS.33] RDS DB subnet groups should be tagged[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit[RDS.39] RDS for MySQL DB instances should be encrypted in transit[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs
+[RDS.1] RDS snapshot should be private[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration[RDS.3] RDS DB instances should have encryption at-rest enabled[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest[RDS.5] RDS DB instances should be configured with multiple Availability Zones[RDS.6] Enhanced monitoring should be configured for RDS DB instances[RDS.7] RDS clusters should have deletion protection enabled[RDS.8] RDS DB instances should have deletion protection enabled[RDS.9] RDS DB instances should publish logs to CloudWatch Logs[RDS.10] IAM authentication should be configured for RDS instances[RDS.11] RDS instances should have automatic backups enabled[RDS.12] IAM authentication should be configured for RDS clusters[RDS.13] RDS automatic minor version upgrades should be enabled[RDS.14] Amazon Aurora clusters should have backtracking enabled[RDS.15] RDS DB clusters should be configured for multiple Availability Zones[RDS.16] RDS DB clusters should be configured to copy tags to snapshots[RDS.17] RDS DB instances should be configured to copy tags to snapshots[RDS.18] RDS instances should be deployed in a VPC[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events[RDS.22] An RDS event notifications subscription should be configured for critical database security group events[RDS.23] RDS instances should not use a database engine default port[RDS.24] RDS Database clusters should use a custom administrator username[RDS.25] RDS database instances should use a custom administrator username[RDS.26] RDS DB instances should be protected by a backup plan[RDS.27] RDS DB clusters should be encrypted at rest[RDS.28] RDS DB clusters should be tagged[RDS.29] RDS DB cluster snapshots should be tagged[RDS.30] RDS DB instances should be tagged[RDS.31] RDS DB security groups should be tagged[RDS.32] RDS DB snapshots should be tagged[RDS.33] RDS DB subnet groups should be tagged[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit[RDS.39] RDS for MySQL DB instances should be encrypted in transit[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs[RDS.41] RDS for SQL Server DB instances should be encrypted in transit[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways
@@ -9,3 +9 @@
-These AWS Security Hub controls evaluate the Amazon Relational Database Service (Amazon RDS) service and resources.
-
-These controls may not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
+These AWS Security Hub controls evaluate the Amazon Relational Database Service (Amazon RDS) service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
@@ -790 +788 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va
-`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList  | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value   
+`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList (maximum of 6 items)  | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions).  | No default value   
@@ -820 +818 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va
-`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList  | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value   
+`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList (maximum of 6 items)  | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions).  | No default value   
@@ -850 +848 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va
-`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList  | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value   
+`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList (maximum of 6 items)  | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions).  | No default value   
@@ -880 +878 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va
-`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList  | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value   
+`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList (maximum of 6 items)  | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions).  | No default value   
@@ -910 +908 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va
-`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList  | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value   
+`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList (maximum of 6 items)  | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions).  | No default value   
@@ -940 +938 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va
-`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList  | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value   
+`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive.  | StringList (maximum of 6 items)  | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions).  | No default value   
@@ -1129,0 +1128,72 @@ For information about publishing logs to CloudWatch Logs for an RDS for SQL Serv
+## [RDS.41] RDS for SQL Server DB instances should be encrypted in transit
+
+**Category:** Protect > Data Protection > Encryption of data-in-transit
+
+**Severity:** Medium
+
+**Resource type:** `AWS::RDS::DBInstance`
+
+**AWS Config rule:** [rds-sqlserver-encrypted-in-transit](https://docs.aws.amazon.com/config/latest/developerguide/rds-sqlserver-encrypted-in-transit.html)
+
+**Schedule type:** Periodic
+
+**Parameters:** None
+
+This control checks whether a connection to an Amazon RDS for Microsoft SQL Server DB instance is encrypted in transit. The control fails if the `rds.force_ssl` parameter of the parameter group associated with the DB instance is set to `0 (off)`.
+
+Data in transit refers to data that moves from one location to another, such as between nodes in a DB cluster or between a DB cluster and a client application. Data can move across the internet or within a private network. Encrypting data in transit reduces the risk of unauthorized users eavesdropping on network traffic.
+
+### Remediation
+
+For information about enabling SSL/TLS for connections to Amazon RDS DB instances running Microsoft SQL Server, see [Using SSL with a Microsoft SQL Server DB Instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.Concepts.General.SSL.Using.html) in the _Amazon Relational Database Service User Guide_.
+
+## [RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs
+
+**Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8)
+
+**Category:** Identify > Logging
+
+**Severity:** Medium
+
+**Resource type:** `AWS::RDS::DBInstance`
+
+**AWS Config rule:** [mariadb-publish-logs-to-cloudwatch-logs](https://docs.aws.amazon.com/config/latest/developerguide/mariadb-publish-logs-to-cloudwatch-logs.html)
+
+**Schedule type:** Periodic
+
+**Parameters:**
+
+Parameter | Description | Type | Allowed custom values | Security Hub default value  
+---|---|---|---|---  
+`logTypes` |  A list of the types of logs that a MariaDB DB instance should be configured to publish to CloudWatch Logs. The control generates a `FAILED` finding if a DB instance isn't configured to publish a log type specified in the list. |  EnumList (maximum of 4 items) |  `audit`, `error`, `general`, `slowquery` |  `audit, error`  
+  
+This control checks whether an Amazon RDS for MariaDB DB instance is configured to publish certain types of logs to Amazon CloudWatch Logs. The control fails if the MariaDB DB instance isn't configured to publish the logs to CloudWatch Logs. You can optionally specify which types of logs a MariaDB DB instance should be configured to publish.
+
+Database logging provides detailed records of requests made to an Amazon RDS for MariaDB DB instance. Publishing logs to Amazon CloudWatch Logs centralizes log management and helps you perform real-time analysis of the log data. In addition, CloudWatch Logs retains the logs in durable storage, which can support security, access, and availability reviews and audits. With CloudWatch Logs, you can also create alarms and review metrics.
+
+### Remediation
+
+For information about configuring an Amazon RDS for MariaDB DB instance to publish logs to Amazon CloudWatch Logs, see [Publishing MariaDB logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.MariaDB.PublishtoCloudWatchLogs.html) in the _Amazon Relational Database Service User Guide_.
+
+## [RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways
+
+**Category:** Protect > Secure network configuration > Resources not publicly accessible
+
+**Severity:** Critical
+
+**Resource type:** `AWS::RDS::DBInstance`
+
+**AWS Config rule:** [rds-instance-subnet-igw-check](https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-subnet-igw-check.html)
+
+**Schedule type:** Periodic
+
+**Parameters:** None
+
+This control checks whether an Amazon RDS DB instance is deployed in a public subnet with a route to an internet gateway. The control fails if the RDS DB instance is deployed in a public subnet with a route to an internet gateway.
+
+By provisioning your Amazon RDS resources in private subnets, you can prevent your RDS resources from receiving inbound traffic from the public internet, which can prevent unintended access to your RDS DB instances. If RDS resources are provisioned in a public subnet that is open to the internet, they might be vulnerable to risks such as data exfiltration.
+
+### Remediation
+
+For information about provisioning a private subnet for an Amazon RDS DB instance, see [Working with a DB instance in a VPC](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html) in the _Amazon Relational Database Service User Guide_.
+