AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-06-07 · Documentation high

File: securityhub/latest/userguide/rds-controls.md

Summary

Removed RDS.18 control and its associated documentation which required RDS instances to be deployed in a VPC.

Security assessment

The change removes a security control (RDS.18) that enforced deploying RDS instances within VPCs for network security benefits. While this control was security-related, the removal doesn't indicate a specific security vulnerability being addressed. There's no evidence of a security incident; it appears to be a deprecation of this specific requirement.

Diff

diff --git a/securityhub/latest/userguide/rds-controls.md b/securityhub/latest/userguide/rds-controls.md
index b76b09d5d..c1038d08c 100644
--- a//securityhub/latest/userguide/rds-controls.md
+++ b//securityhub/latest/userguide/rds-controls.md
@@ -7 +7 @@
-[RDS.1] RDS snapshot should be private[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration[RDS.3] RDS DB instances should have encryption at-rest enabled[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest[RDS.5] RDS DB instances should be configured with multiple Availability Zones[RDS.6] Enhanced monitoring should be configured for RDS DB instances[RDS.7] RDS clusters should have deletion protection enabled[RDS.8] RDS DB instances should have deletion protection enabled[RDS.9] RDS DB instances should publish logs to CloudWatch Logs[RDS.10] IAM authentication should be configured for RDS instances[RDS.11] RDS instances should have automatic backups enabled[RDS.12] IAM authentication should be configured for RDS clusters[RDS.13] RDS automatic minor version upgrades should be enabled[RDS.14] Amazon Aurora clusters should have backtracking enabled[RDS.15] RDS DB clusters should be configured for multiple Availability Zones[RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots[RDS.17] RDS DB instances should be configured to copy tags to snapshots[RDS.18] RDS instances should be deployed in a VPC[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events[RDS.22] An RDS event notifications subscription should be configured for critical database security group events[RDS.23] RDS instances should not use a database engine default port[RDS.24] RDS Database clusters should use a custom administrator username[RDS.25] RDS database instances should use a custom administrator username[RDS.26] RDS DB instances should be protected by a backup plan[RDS.27] RDS DB clusters should be encrypted at rest[RDS.28] RDS DB clusters should be tagged[RDS.29] RDS DB cluster snapshots should be tagged[RDS.30] RDS DB instances should be tagged[RDS.31] RDS DB security groups should be tagged[RDS.32] RDS DB snapshots should be tagged[RDS.33] RDS DB subnet groups should be tagged[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit[RDS.39] RDS for MySQL DB instances should be encrypted in transit[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs[RDS.41] RDS for SQL Server DB instances should be encrypted in transit[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs[RDS.43] RDS DB proxies should require TLS encryption for connections[RDS.44] RDS for MariaDB DB instances should be encrypted in transit[RDS.45] Aurora MySQL DB clusters should have audit logging enabled[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots[RDS.50] RDS DB clusters should have enough backup retention period set[RDS.51] RDS global clusters should run on a supported Aurora MySQL version
+[RDS.1] RDS snapshot should be private[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration[RDS.3] RDS DB instances should have encryption at-rest enabled[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest[RDS.5] RDS DB instances should be configured with multiple Availability Zones[RDS.6] Enhanced monitoring should be configured for RDS DB instances[RDS.7] RDS clusters should have deletion protection enabled[RDS.8] RDS DB instances should have deletion protection enabled[RDS.9] RDS DB instances should publish logs to CloudWatch Logs[RDS.10] IAM authentication should be configured for RDS instances[RDS.11] RDS instances should have automatic backups enabled[RDS.12] IAM authentication should be configured for RDS clusters[RDS.13] RDS automatic minor version upgrades should be enabled[RDS.14] Amazon Aurora clusters should have backtracking enabled[RDS.15] RDS DB clusters should be configured for multiple Availability Zones[RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots[RDS.17] RDS DB instances should be configured to copy tags to snapshots[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events[RDS.22] An RDS event notifications subscription should be configured for critical database security group events[RDS.23] RDS instances should not use a database engine default port[RDS.24] RDS Database clusters should use a custom administrator username[RDS.25] RDS database instances should use a custom administrator username[RDS.26] RDS DB instances should be protected by a backup plan[RDS.27] RDS DB clusters should be encrypted at rest[RDS.28] RDS DB clusters should be tagged[RDS.29] RDS DB cluster snapshots should be tagged[RDS.30] RDS DB instances should be tagged[RDS.31] RDS DB security groups should be tagged[RDS.32] RDS DB snapshots should be tagged[RDS.33] RDS DB subnet groups should be tagged[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit[RDS.39] RDS for MySQL DB instances should be encrypted in transit[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs[RDS.41] RDS for SQL Server DB instances should be encrypted in transit[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs[RDS.43] RDS DB proxies should require TLS encryption for connections[RDS.44] RDS for MariaDB DB instances should be encrypted in transit[RDS.45] Aurora MySQL DB clusters should have audit logging enabled[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots[RDS.50] RDS DB clusters should have enough backup retention period set[RDS.51] RDS global clusters should run on a supported Aurora MySQL version
@@ -503,22 +502,0 @@ To automatically copy tags to snapshots for an RDS DB instance, see [Modifying a
-## [RDS.18] RDS instances should be deployed in a VPC
-
-**Category:** Protect > Secure network configuration > Resources within VPC 
-
-**Severity:** High
-
-**Resource type:** `AWS::RDS::DBInstance`
-
-**AWS Config rule:** `rds-deployed-in-vpc` (custom Security Hub CSPM rule)
-
-**Schedule type:** Change triggered
-
-**Parameters:** None
-
-This control checks whether an Amazon RDS instance is deployed on an EC2-VPC.
-
-VPCs provide a number of network controls to secure access to RDS resources. These controls include VPC Endpoints, network ACLs, and security groups. To take advantage of these controls, we recommend that you create your RDS instances on an EC2-VPC.
-
-### Remediation
-
-For instructions on moving RDS instances to a VPC, see [Updating the VPC for a DB instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.VPC2VPC.html) in the _Amazon RDS User Guide_.
-