AWS Security ChangesHomeSearch

AWS securityhub medium security documentation change

Service: securityhub · 2025-05-10 · Security-related medium

File: securityhub/latest/userguide/rds-controls.md

Summary

Replaced control [RDS.46] (public subnet check) with [RDS.44] (MariaDB encryption in transit), updating category, severity, config rule, and control description

Security assessment

The change replaces a network security control (preventing public exposure) with a data protection control (enforcing TLS encryption for MariaDB). Both address security aspects - the new control specifically mitigates risks of unencrypted data interception in transit. The encryption requirement directly addresses security through data confidentiality protection.

Diff

diff --git a/securityhub/latest/userguide/rds-controls.md b/securityhub/latest/userguide/rds-controls.md
index e74decf7c..2a9ada8e5 100644
--- a//securityhub/latest/userguide/rds-controls.md
+++ b//securityhub/latest/userguide/rds-controls.md
@@ -5 +5 @@
-[RDS.1] RDS snapshot should be private[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration[RDS.3] RDS DB instances should have encryption at-rest enabled[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest[RDS.5] RDS DB instances should be configured with multiple Availability Zones[RDS.6] Enhanced monitoring should be configured for RDS DB instances[RDS.7] RDS clusters should have deletion protection enabled[RDS.8] RDS DB instances should have deletion protection enabled[RDS.9] RDS DB instances should publish logs to CloudWatch Logs[RDS.10] IAM authentication should be configured for RDS instances[RDS.11] RDS instances should have automatic backups enabled[RDS.12] IAM authentication should be configured for RDS clusters[RDS.13] RDS automatic minor version upgrades should be enabled[RDS.14] Amazon Aurora clusters should have backtracking enabled[RDS.15] RDS DB clusters should be configured for multiple Availability Zones[RDS.16] RDS DB clusters should be configured to copy tags to snapshots[RDS.17] RDS DB instances should be configured to copy tags to snapshots[RDS.18] RDS instances should be deployed in a VPC[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events[RDS.22] An RDS event notifications subscription should be configured for critical database security group events[RDS.23] RDS instances should not use a database engine default port[RDS.24] RDS Database clusters should use a custom administrator username[RDS.25] RDS database instances should use a custom administrator username[RDS.26] RDS DB instances should be protected by a backup plan[RDS.27] RDS DB clusters should be encrypted at rest[RDS.28] RDS DB clusters should be tagged[RDS.29] RDS DB cluster snapshots should be tagged[RDS.30] RDS DB instances should be tagged[RDS.31] RDS DB security groups should be tagged[RDS.32] RDS DB snapshots should be tagged[RDS.33] RDS DB subnet groups should be tagged[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit[RDS.39] RDS for MySQL DB instances should be encrypted in transit[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs[RDS.41] RDS for SQL Server DB instances should be encrypted in transit[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways
+[RDS.1] RDS snapshot should be private[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration[RDS.3] RDS DB instances should have encryption at-rest enabled[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest[RDS.5] RDS DB instances should be configured with multiple Availability Zones[RDS.6] Enhanced monitoring should be configured for RDS DB instances[RDS.7] RDS clusters should have deletion protection enabled[RDS.8] RDS DB instances should have deletion protection enabled[RDS.9] RDS DB instances should publish logs to CloudWatch Logs[RDS.10] IAM authentication should be configured for RDS instances[RDS.11] RDS instances should have automatic backups enabled[RDS.12] IAM authentication should be configured for RDS clusters[RDS.13] RDS automatic minor version upgrades should be enabled[RDS.14] Amazon Aurora clusters should have backtracking enabled[RDS.15] RDS DB clusters should be configured for multiple Availability Zones[RDS.16] RDS DB clusters should be configured to copy tags to snapshots[RDS.17] RDS DB instances should be configured to copy tags to snapshots[RDS.18] RDS instances should be deployed in a VPC[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events[RDS.22] An RDS event notifications subscription should be configured for critical database security group events[RDS.23] RDS instances should not use a database engine default port[RDS.24] RDS Database clusters should use a custom administrator username[RDS.25] RDS database instances should use a custom administrator username[RDS.26] RDS DB instances should be protected by a backup plan[RDS.27] RDS DB clusters should be encrypted at rest[RDS.28] RDS DB clusters should be tagged[RDS.29] RDS DB cluster snapshots should be tagged[RDS.30] RDS DB instances should be tagged[RDS.31] RDS DB security groups should be tagged[RDS.32] RDS DB snapshots should be tagged[RDS.33] RDS DB subnet groups should be tagged[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit[RDS.39] RDS for MySQL DB instances should be encrypted in transit[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs[RDS.41] RDS for SQL Server DB instances should be encrypted in transit[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs[RDS.44] RDS for MariaDB DB instances should be encrypted in transit
@@ -1193 +1193 @@ For information about configuring an Amazon RDS for MariaDB DB instance to publi
-## [RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways
+## [RDS.44] RDS for MariaDB DB instances should be encrypted in transit
@@ -1195 +1195 @@ For information about configuring an Amazon RDS for MariaDB DB instance to publi
-**Category:** Protect > Secure network configuration > Resources not publicly accessible
+**Category:** Protect > Data Protection > Encryption of data-in-transit
@@ -1197 +1197 @@ For information about configuring an Amazon RDS for MariaDB DB instance to publi
-**Severity:** Critical
+**Severity:** Medium
@@ -1201 +1201 @@ For information about configuring an Amazon RDS for MariaDB DB instance to publi
-**AWS Config rule:** [rds-instance-subnet-igw-check](https://docs.aws.amazon.com/config/latest/developerguide/rds-instance-subnet-igw-check.html)
+**AWS Config rule:** [rds-mariadb-instance-encrypted-in-transit](https://docs.aws.amazon.com/config/latest/developerguide/rds-mariadb-instance-encrypted-in-transit.html)
@@ -1207 +1207 @@ For information about configuring an Amazon RDS for MariaDB DB instance to publi
-This control checks whether an Amazon RDS DB instance is deployed in a public subnet with a route to an internet gateway. The control fails if the RDS DB instance is deployed in a public subnet with a route to an internet gateway.
+This control checks whether connections to an Amazon RDS for MariaDB DB instance are encrypted in transit. The control fails if the DB parameter group associated with the DB instance is not in sync, or the `require_secure_transport` parameter of the parameter group is not set to `ON`.
@@ -1209 +1209,5 @@ This control checks whether an Amazon RDS DB instance is deployed in a public su
-By provisioning your Amazon RDS resources in private subnets, you can prevent your RDS resources from receiving inbound traffic from the public internet, which can prevent unintended access to your RDS DB instances. If RDS resources are provisioned in a public subnet that is open to the internet, they might be vulnerable to risks such as data exfiltration.
+###### Note
+
+This control doesn't evaluate Amazon RDS DB instances that use MariaDB versions earlier than version 10.5. The `require_secure_transport` parameter is supported only for MariaDB versions 10.5 and later.
+
+Data in transit refers to data that moves from one location to another, such as between nodes in a DB cluster or between a DB cluster and a client application. Data can move across the internet or within a private network. Encrypting data in transit reduces the risk of unauthorized users eavesdropping on network traffic.
@@ -1213 +1217 @@ By provisioning your Amazon RDS resources in private subnets, you can prevent yo
-For information about provisioning a private subnet for an Amazon RDS DB instance, see [Working with a DB instance in a VPC](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html) in the _Amazon Relational Database Service User Guide_.
+For information about enabling SSL/TLS for connections to an Amazon RDS for MariaDB DB instance, see [Requiring SSL/TLS for all connections to a MariaDB DB instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/mariadb-ssl-connections.require-ssl.html) in the _Amazon Relational Database Service User Guide_.