GuardDuty RDS Protection - Amazon GuardDuty
Supported databasesHow RDS Protection uses RDS login activity monitoringConfiguring RDS Protection for a standalone accountConfiguring RDS Protection in multiple-account environments

GuardDuty RDS Protection

RDS Protection in Amazon GuardDuty analyzes and profiles RDS login activity for potential access threats to your Amazon Aurora databases (Amazon Aurora MySQL-Compatible Edition and Aurora PostgreSQL-Compatible Edition). This feature allows you to identify potentially suspicious login behavior. RDS Protection doesn't require additional infrastructure; it is designed so as not to affect the performance of your database instances.

When RDS Protection detects a potentially suspicious or anomalous login attempt that indicates a threat to your database, GuardDuty generates a new finding with details about the potentially compromised database.

You can enable or disable the RDS Protection feature for any account in any AWS Region where this feature is available within Amazon GuardDuty, at any time. An existing GuardDuty account can enable RDS Protection with a 30-day trial period. For a new GuardDuty account, RDS Protection is already enabled and included in the 30-day free trial period. For more information, see Estimating cost.

Note

When the RDS Protection feature is not enabled, GuardDuty neither collects your RDS login activity, nor detects anomalous or suspicious login behavior.

For information about the AWS Regions where GuardDuty doesn't yet support RDS Protection, see Region-specific feature availability.

Supported Amazon Aurora databases

The following table shows the supported Aurora database versions.

Amazon Aurora DB engine Supported engine versions

Aurora MySQL

  • 2.10.2 or later

  • 3.02.1 or later

Aurora PostgreSQL

  • 10.17 or later

  • 11.12 or later

  • 12.7 or later

  • 13.3 or later

  • 14.3 or later

  • 15.2 or later

  • 16.1 or later

How RDS Protection uses RDS login activity monitoring

RDS Protection in Amazon GuardDuty helps you protect the supported Amazon Aurora (Aurora) databases in your account. After you enable the RDS Protection feature, GuardDuty immediately starts monitoring RDS login activity from Aurora databases in your account. GuardDuty continuously monitors and profiles RDS login activity for suspicious activity, for example, unauthorized access to Aurora database in your account, from a previously unseen external actor. When you enable RDS Protection for the first time or you have a newly created database instance, a learning period is required to baseline normal behavior. For this reason, newly enabled or newly created database instances may not have an associated anomalous login finding for up to two weeks of time. For more information, see RDS login activity monitoring.

When RDS Protection detects a potential threat, such as an unusual pattern in a series of successful, failed, or incomplete login attempts, GuardDuty generates a new finding with details about the potentially compromised database instance. For more information, see RDS Protection finding types. If you disable RDS Protection, GuardDuty immediately stops monitoring RDS login activity and is unable to detect any potential threat to your supported database instances.

Note

GuardDuty doesn't manage your Supported databases or RDS login activity, or make RDS login activity available to you.

Configuring RDS Protection for a standalone account

Console

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

  2. In the navigation pane, choose RDS Protection.

  3. The RDS Protection page shows the current status for your account. You may enable or disable the feature at any time by selecting Enable or Disable. Confirm your selection.

API/CLI

Run the updateDetector API operation using your own regional detector ID and passing the features object name as RDS_LOGIN_EVENTS and status as ENABLED or DISABLED.

You can also enable or disable RDS Protection by running the following AWS CLI command. Make sure to use your own valid detector ID.

Note

The following example code enables RDS Protection. To disable it, replace ENABLED with DISABLED.

To find the detectorId for your account and current Region, see Settings page in the https://console.aws.amazon.com/guardduty/ console.

aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "RDS_LOGIN_EVENTS", "Status" : "ENABLED"}]'

Configuring RDS Protection in multiple-account environments

In a multiple-account environment, only the delegated GuardDuty administrator account has the option to enable or disable the RDS Protection feature for the member accounts in their organization. The GuardDuty member accounts can't modify this configuration from their accounts. The delegated GuardDuty administrator account manages their member accounts using AWS Organizations. This delegated GuardDuty administrator account can choose to auto-enable RDS login activity monitoring for all the new accounts as they join the organization. For more information about multiple-account environments, see Managing multiple accounts in Amazon GuardDuty.

Choose your preferred access method to configure RDS Login Activity Monitoring for the delegated GuardDuty administrator account.

Console

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

    Make sure to use the management account credentials.

  2. In the navigation pane, choose RDS Protection.

  3. On the RDS Protection page, choose Edit.

  4. Do one of the following:

    Using Enable for all accounts

    • Choose Enable for all accounts. This will enable the protection plan for all the active GuardDuty accounts in your AWS organization, including the new accounts that join the organization.

    • Choose Save.

    Using Configure accounts manually

    • To enable the protection plan only for the delegated GuardDuty administrator account account, choose Configure accounts manually.

    • Choose Enable under the delegated GuardDuty administrator account (this account) section.

    • Choose Save.

API/CLI

Run the updateDetector API operation using your own regional detector ID and passing the features object name as RDS_LOGIN_EVENTS and status as ENABLED or DISABLED.

You can enable or disable RDS Protection by running the following AWS CLI command. Make sure to use delegated GuardDuty administrator account's valid detector ID.

Note

The following example code enables RDS Protection. To disable it, replace ENABLED with DISABLED.

To find the detectorId for your account and current Region, see Settings page in the https://console.aws.amazon.com/guardduty/ console.

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 555555555555 --features '[{"Name": "RDS_LOGIN_EVENTS", "Status": "ENABLED"}]'

Choose your preferred access method to enable the RDS Protection feature for all member accounts. This includes existing member accounts and the new accounts that join the organization.

Console

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

    Make sure to use the delegated GuardDuty administrator account credentials.

  2. Do one of the following:

    Using the RDS Protection page

    1. In the navigation pane, choose RDS Protection.

    2. Choose Enable for all accounts. This action automatically enables RDS Protection for both existing and new accounts in the organization.

    3. Choose Save.

      Note

      It may take up to 24 hours to update the configuration for the member accounts.

    Using the Accounts page

    1. In the navigation pane, choose Accounts.

    2. On the Accounts page, choose Auto-enable preferences before Add accounts by invitation.

    3. In the Manage auto-enable preferences window, choose Enable for all accounts under RDS Login Activity Monitoring.

    4. Choose Save.

    If you can't use the Enable for all accounts option, see Selectively enable or disable RDS Protection for member accounts.

API/CLI

  • To selectively enable or disable RDS Protection for your member accounts, invoke the updateMemberDetectors API operation using your own detector ID.

  • The following example shows how you can enable RDS Protection for a single member account. To disable it, replace ENABLED with DISABLED.

    To find the detectorId for your account and current Region, see Settings page in the https://console.aws.amazon.com/guardduty/ console.

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"name": "RDS_LOGIN_EVENTS", "status": "ENABLED"}]'
    Note

    You can also pass a list of account IDs separated by a space.

  • When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Choose your preferred access method to enable RDS Protection for all the existing active member accounts in your organization.

Console
To configure RDS Protection for all existing active member accounts

  1. Sign in to the AWS Management Console and open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

    Sign in using the delegated GuardDuty administrator account credentials.

  2. In the navigation pane, choose RDS Protection.

  3. On the RDS Protection page, you can view the current status of the configuration. Under the Active member accounts section, choose Actions.

  4. From the Actions dropdown menu, choose Enable for all existing active member accounts.

  5. Choose Confirm.

API/CLI

  • To selectively enable or disable RDS Protection for your member accounts, invoke the updateMemberDetectors API operation using your own detector ID.

  • The following example shows how you can enable RDS Protection for a single member account. To disable it, replace ENABLED with DISABLED.

    To find the detectorId for your account and current Region, see Settings page in the https://console.aws.amazon.com/guardduty/ console.

    aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"name": "RDS_LOGIN_EVENTS", "status": "ENABLED"}]'
    Note

    You can also pass a list of account IDs separated by a space.

  • When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Choose your preferred access method to enable RDS login activity for new accounts that join your organization.

Console

The delegated GuardDuty administrator account can enable for new member accounts in an organization through the console, using either the RDS Protection or Accounts page.

To auto-enable RDS Protection for new member accounts

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

    Make sure to use the delegated GuardDuty administrator account credentials.

  2. Do one of the following:

    • Using the RDS Protection page:

      1. In the navigation pane, choose RDS Protection.

      2. On the RDS Protection page, choose Edit.

      3. Choose Configure accounts manually.

      4. Select Automatically enable for new member accounts. This step ensures that whenever a new account joins your organization, RDS Protection will be automatically enabled for their account. Only the organization delegated GuardDuty administrator account can modify this configuration.

      5. Choose Save.

    • Using the Accounts page:

      1. In the navigation pane, choose Accounts.

      2. On the Accounts page, choose Auto-enable preferences.

      3. In the Manage auto-enable preferences window, select Enable for new accounts under RDS Login Activity Monitoring.

      4. Choose Save.

API/CLI

  • To selectively enable or disable RDS Protection for your member accounts, invoke the UpdateOrganizationConfiguration API operation using your own detector ID.

  • The following example shows how you can enable RDS Protection for a single member account. To disable it, see Selectively enable or disable RDS Protection for member accounts. If you don't want to enable it for all the new accounts joining the organization, set autoEnable to NONE.

    To find the detectorId for your account and current Region, see Settings page in the https://console.aws.amazon.com/guardduty/ console.

    aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --auto-enable --features '[{"Name": "RDS_LOGIN_EVENTS", "AutoEnable": "NEW"}]'
    Note

    You can also pass a list of account IDs separated by a space.

  • When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

Choose your preferred access method to selectively enable or disable monitoring RDS login activity for member accounts.

Console

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

    Make sure to use the delegated GuardDuty administrator account credentials.

  2. In the navigation pane, choose Accounts.

    On the Accounts page, review the RDS login activity column for the status of your member account.

  3. To selectively enable or disable RDS login activity

    Select the account for which you want to configure RDS Protection. You can select multiple accounts at a time. In the Edit Protection Plans dropdown menu, choose RDS Login Activity, and then choose the appropriate option.

API/CLI

To selectively enable or disable RDS Protection for your member accounts, invoke the updateMemberDetectors API operation using your own detector ID.

The following example shows how you can enable RDS Protection for a single member account. To disable it, replace ENABLED with DISABLED.

To find the detectorId for your account and current Region, see Settings page in the https://console.aws.amazon.com/guardduty/ console.

aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name": "RDS_LOGIN_EVENTS", "Status": "ENABLED"}]'
Note

You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of UnprocessedAccounts. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.