Security best practices for Amazon RDS - Amazon Relational Database Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security best practices for Amazon RDS

Use Amazon Identity and Access Management (IAM) accounts to control access to Amazon RDS API operations, especially operations that create, modify, or delete Amazon RDS resources. Such resources include DB instances, security groups, and parameter groups. Also use IAM to control actions that perform common administrative actions such as backing up and restoring DB instances.

  • Create an individual user for each person who manages Amazon RDS resources, including yourself. Don't use Amazon root credentials to manage Amazon RDS resources.

  • Grant each user the minimum set of permissions required to perform his or her duties.

  • Use IAM groups to effectively manage permissions for multiple users.

  • Rotate your IAM credentials regularly.

  • Configure Amazon Secrets Manager to automatically rotate the secrets for Amazon RDS. For more information, see Rotating your Amazon Secrets Manager secrets in the Amazon Secrets Manager User Guide. You can also retrieve the credential from Amazon Secrets Manager programmatically. For more information, see Retrieving the secret value in the Amazon Secrets Manager User Guide.

For more information about Amazon RDS security, see Security in Amazon RDS. For more information about IAM, see Amazon Identity and Access Management. For information on IAM best practices, see IAM best practices.

Amazon Security Hub uses security controls to evaluate resource configurations and security standards to help you comply with various compliance frameworks. For more information about using Security Hub to evaluate RDS resources, see Amazon Relational Database Service controls in the Amazon Security Hub User Guide.

You can monitor your usage of RDS as it relates to security best practices by using Security Hub. For more information, see What is Amazon Security Hub?.

Use the Amazon Web Services Management Console, the Amazon CLI, or the RDS API to change the password for your master user. If you use another tool, such as a SQL client, to change the master user password, it might result in privileges being revoked for the user unintentionally.