Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Feature in RDS Protection

RDS login activity monitoring

RDS login activity captures both successful and failed login attempts made to the Supported Amazon Aurora databases in your Amazon environment. To help you protect your databases, GuardDuty RDS Protection continuously monitors the login activity for potentially suspicious login attempts. For example, an adversary may attempt to brute-force access to an Amazon Aurora database by guessing the database's password.

When you enable the RDS Protection feature, GuardDuty automatically starts to monitor RDS login activity for your databases directly from the Aurora service. If there is an indication of anomalous login behavior, GuardDuty generates a finding with details about the potentially compromised database. When you enable RDS Protection for the first time or you have a newly created database instance, a learning period is required to baseline normal behavior. For this reason, newly enabled or newly created database instances may not have an associated anomalous login finding for up to two weeks of time.

The RDS Protection feature does not require any additional setup; it does not affect any of your existing Amazon Aurora database configurations. GuardDuty doesn't manage your supported databases or RDS login activity, or make the RDS login activity available to you.

If you choose to auto-enable the RDS Protection feature for new member accounts as they join your organization, this action automatically enables GuardDuty for those new member accounts. For more information about configuring RDS login activity monitoring as a feature, see GuardDuty RDS Protection.