GuardDuty RDS Protection
RDS Protection in Amazon GuardDuty analyzes and profiles RDS login activity for potential access threats to
your Amazon Aurora databases (Amazon Aurora MySQL-Compatible Edition and Aurora PostgreSQL-Compatible Edition). This feature allows you to
identify potentially suspicious login behavior. RDS Protection doesn't require additional
infrastructure; it is designed so as not to affect the performance of your database
instances.
When RDS Protection detects a potentially suspicious or anomalous login attempt that indicates a
threat to your database, GuardDuty generates a new finding with details about the potentially
compromised database.
You can enable or disable the RDS Protection feature for any account in any AWS Region where
this feature is available within Amazon GuardDuty, at any time. An existing GuardDuty account can enable
RDS Protection with a 30-day trial period. For a new GuardDuty account, RDS Protection is already enabled and
included in the 30-day free trial period. For more information, see Estimating cost.
When the RDS Protection feature is not enabled, GuardDuty neither collects your RDS login activity, nor detects
anomalous or suspicious login behavior.
For information about the AWS Regions where GuardDuty doesn't yet support RDS Protection, see Region-specific feature
availability.
Supported Amazon Aurora databases
The following table shows the supported Aurora database versions.
Amazon Aurora DB engine |
Supported engine versions |
Aurora MySQL
|
-
2.10.2 or later
-
3.02.1 or later
|
Aurora PostgreSQL
|
-
10.17 or later
-
11.12 or later
-
12.7 or later
-
13.3 or later
-
14.3 or later
-
15.2 or later
-
16.1 or later
|
How RDS Protection uses RDS login activity
monitoring
RDS Protection in Amazon GuardDuty helps you protect the supported Amazon Aurora (Aurora) databases in your
account. After you enable the RDS Protection feature, GuardDuty immediately starts monitoring
RDS login activity from Aurora databases in your account. GuardDuty continuously monitors and profiles
RDS login activity for suspicious activity, for example, unauthorized access to Aurora database in
your account, from a previously unseen external actor. When you enable RDS Protection for the first
time or you have a newly created database instance, a learning period is required to baseline
normal behavior. For this reason, newly enabled or newly created database instances may not
have an associated anomalous login finding for up to two weeks of time. For more information,
see RDS login activity monitoring.
When RDS Protection detects a potential threat, such as an unusual pattern in a series of
successful, failed, or incomplete login attempts, GuardDuty generates a new finding with details
about the potentially compromised database instance. For more information, see RDS Protection finding types. If you
disable RDS Protection, GuardDuty immediately stops monitoring RDS login activity and is unable to detect
any potential threat to your supported database instances.
GuardDuty doesn't manage your Supported databases or RDS login activity, or make RDS login activity
available to you.
- Console
-
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
-
In the navigation pane, choose
RDS Protection.
-
The RDS Protection page shows the current status for your
account. You may enable or disable the feature at any time by selecting
Enable or Disable.
Confirm your selection.
- API/CLI
-
Run the updateDetector API operation using your own regional
detector ID and passing the features
object name
as
RDS_LOGIN_EVENTS
and status
as ENABLED
or
DISABLED
.
You can also enable or disable RDS Protection by running the following AWS CLI command. Make
sure to use your own valid detector ID
.
The following example code enables RDS Protection. To disable it, replace
ENABLED
with DISABLED
.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.aws.amazon.com/guardduty/ console.
aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0
--features '[{"Name" : "RDS_LOGIN_EVENTS", "Status" : "ENABLED"}]'
In a multiple-account environment, only the delegated GuardDuty administrator account has the option to enable
or disable the RDS Protection feature for the member accounts in their organization. The GuardDuty
member accounts can't modify this configuration from their accounts. The delegated GuardDuty administrator account
manages their member accounts using AWS Organizations. This delegated GuardDuty administrator account can choose to auto-enable
RDS login activity monitoring for all the new accounts as they join the organization. For more
information about multiple-account environments, see Managing multiple accounts in
Amazon GuardDuty.
Choose your preferred access method to configure RDS Login Activity Monitoring for the delegated GuardDuty administrator account.
- Console
-
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
Make sure to use the management account credentials.
-
In the navigation pane, choose RDS Protection.
-
On the RDS Protection page, choose Edit.
Do one of the following:
Using Enable for all accounts
Using Configure accounts manually
To enable the protection plan only for the delegated GuardDuty administrator account account, choose
Configure accounts manually.
Choose Enable under the
delegated GuardDuty administrator account (this account) section.
Choose Save.
- API/CLI
-
Run the updateDetector API operation using your own regional
detector ID and passing the features
object name
as
RDS_LOGIN_EVENTS
and status
as ENABLED
or
DISABLED
.
You can enable or disable RDS Protection by running the following AWS CLI command. Make
sure to use delegated GuardDuty administrator account's valid detector ID
.
The following example code enables RDS Protection. To disable it, replace
ENABLED
with DISABLED
.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.aws.amazon.com/guardduty/ console.
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0
--account-ids 555555555555
--features '[{"Name": "RDS_LOGIN_EVENTS", "Status": "ENABLED"}]'
Choose your preferred access method to enable the RDS Protection feature for all member
accounts. This includes existing member accounts and the new accounts that join the organization.
- Console
-
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
Make sure to use the delegated GuardDuty administrator account credentials.
Do one of the following:
Using the RDS Protection page
In the navigation pane, choose
RDS Protection.
Choose Enable for all accounts. This action
automatically enables RDS Protection for both existing and new accounts in the organization.
Choose Save.
It may take up to 24 hours to update the configuration for the member accounts.
Using the Accounts page
In the navigation pane, choose
Accounts.
On the Accounts page, choose Auto-enable preferences before
Add accounts by invitation.
In the Manage auto-enable preferences window, choose
Enable for all accounts under RDS Login Activity Monitoring.
Choose Save.
If you can't use the Enable for all accounts option, see Selectively enable or disable RDS Protection
for member accounts.
- API/CLI
-
-
To selectively enable or disable RDS Protection for your member accounts, invoke the
updateMemberDetectors API operation using your own
detector ID
.
-
The following example shows how you can enable RDS Protection for a single member
account. To disable it, replace ENABLED
with DISABLED
.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.aws.amazon.com/guardduty/ console.
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0
--account-ids 111122223333
--features '[{"name": "RDS_LOGIN_EVENTS", "status": "ENABLED
"}]'
You can also pass a list of account IDs separated by a space.
-
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the
detector settings for an account, that account ID is listed along with a summary
of the issue.
Choose your preferred access method to enable RDS Protection for all the existing active member accounts in your organization.
- Console
-
To configure RDS Protection for all existing active member accounts
Sign in to the AWS Management Console and open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
Sign in using the delegated GuardDuty administrator account credentials.
In the navigation pane, choose RDS Protection.
On the RDS Protection page, you can view the current status of the
configuration. Under the Active member accounts section, choose Actions.
From the Actions dropdown menu, choose Enable for all existing active member accounts.
Choose Confirm.
- API/CLI
-
-
To selectively enable or disable RDS Protection for your member accounts, invoke the
updateMemberDetectors API operation using your own
detector ID
.
-
The following example shows how you can enable RDS Protection for a single member
account. To disable it, replace ENABLED
with DISABLED
.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.aws.amazon.com/guardduty/ console.
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0
--account-ids 111122223333
--features '[{"name": "RDS_LOGIN_EVENTS", "status": "ENABLED
"}]'
You can also pass a list of account IDs separated by a space.
-
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the
detector settings for an account, that account ID is listed along with a summary
of the issue.
Choose your preferred access method to enable RDS login activity for new accounts that join
your organization.
- Console
-
The delegated GuardDuty administrator account can enable for new member accounts in an organization through the
console, using either the RDS Protection or
Accounts page.
To auto-enable RDS Protection for new member accounts
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
Make sure to use the delegated GuardDuty administrator account credentials.
-
Do one of the following:
- API/CLI
-
-
To selectively enable or disable RDS Protection for your member accounts, invoke the
UpdateOrganizationConfiguration API operation using
your own detector ID
.
-
The following example shows how you can enable RDS Protection for a single member
account. To disable it, see Selectively enable or disable RDS Protection
for member accounts. If you don't want to
enable it for all the new accounts joining the organization, set autoEnable
to
NONE
.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.aws.amazon.com/guardduty/ console.
aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0
--auto-enable --features '[{"Name": "RDS_LOGIN_EVENTS", "AutoEnable": "NEW"}]'
You can also pass a list of account IDs separated by a space.
-
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the
detector settings for an account, that account ID is listed along with a summary
of the issue.
Choose your preferred access method to selectively enable or disable monitoring
RDS login activity for member accounts.
- Console
-
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
Make sure to use the delegated GuardDuty administrator account credentials.
-
In the navigation pane, choose
Accounts.
On the Accounts page, review the
RDS login activity column for the status of your member
account.
-
To selectively enable or disable RDS login activity
Select the account for which you want to configure RDS Protection. You can select
multiple accounts at a time. In the Edit Protection Plans
dropdown menu, choose RDS Login Activity, and then choose the
appropriate option.
- API/CLI
-
To selectively enable or disable RDS Protection for your member accounts, invoke the
updateMemberDetectors API operation using your own
detector ID
.
The following example shows how you can enable RDS Protection for a single member
account. To disable it, replace ENABLED
with DISABLED
.
To find the detectorId
for your account and current Region, see
Settings page in the https://console.aws.amazon.com/guardduty/ console.
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0
--account-ids 111122223333
--features '[{"Name": "RDS_LOGIN_EVENTS", "Status": "ENABLED
"}]'
You can also pass a list of account IDs separated by a space.
When the code has successfully executed, it returns an empty list of
UnprocessedAccounts
. If there were any problems changing the detector
settings for an account, that account ID is listed along with a summary of the
issue.