GuardDuty RDS Protection - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

GuardDuty RDS Protection

GuardDuty RDS Protection is in preview release. Your use of the RDS Protection feature is subject to Section 2 of the Amazon Service Terms ("Betas and Previews").

Amazon GuardDuty is extending its threat detection coverage to help you protect your Amazon Relational Database Service (RDS) databases. Presently, this preview release supports Amazon Aurora, a fully managed relational database engine that's compatible with these Supported databases. For information about the available Regions, see Region-specific feature availability.

RDS Protection in Amazon GuardDuty analyzes and profiles RDS login activity for potential access threats to your Amazon Aurora databases (Amazon Aurora MySQL-Compatible Edition and Aurora PostgreSQL-Compatible Edition). This feature allows you to identify potentially suspicious login behavior. RDS Protection doesn't require additional infrastructure; it is designed so as not to affect the performance of your database instances.

When RDS Protection detects a potentially suspicious or anomalous login attempt that indicates a threat to your database instance, GuardDuty generates a new finding with details about the potentially compromised database instance.

You can enable or disable the RDS Protection feature for any account in any Amazon Web Services Region where this feature is available, at any time. When RDS Protection is not enabled, GuardDuty neither ingests RDS login activity nor detects anomalous or suspicious login behavior.

Supported Amazon Aurora databases

Presently, RDS Protection supports the following Aurora database versions:

  • Aurora MySQL versions 2.10.2 and 3.2.1 or higher.

  • Aurora PostgreSQL versions 10.17, 11.12, 12.7, 13.3, and 14.3 or higher.

How RDS Protection uses RDS login activity monitoring

RDS Protection in Amazon GuardDuty helps you protect the supported Amazon Aurora (Aurora) databases in your account. After you enable the RDS Protection feature, GuardDuty immediately starts to monitor RDS login activity from your Aurora database instances. GuardDuty continuously monitors and profiles RDS login activity for suspicious activity, for example, unauthorized access to your database instance from a previously unseen external actor. When you enable RDS Protection for the first time or you have a newly created database instance, a learning period is required to baseline normal behavior. For this reason, newly enabled or newly created database instances may not have an associated anomalous login finding for up to two weeks of time. For more information, see RDS login activity monitoring.

When RDS Protection detects a potential threat, such as an unusual pattern in a series of successful, failed, or incomplete login attempts, GuardDuty generates a new finding with details about the potentially compromised database instance. For more information, see RDS Protection finding types. If you disable RDS Protection, GuardDuty immediately stops monitoring RDS login activity and is unable to detect any potential threat to your supported database instances.

GuardDuty RDS Protection is available to use at no cost during its preview release. After this feature is generally available, you will still be able to leverage the 30-day free-trial period for this feature. For more information, see Free preview of RDS Protection.

Note

GuardDuty doesn't manage your Supported databases or RDS login activity, or make RDS login activity available to you.

Configuring RDS Protection for a standalone account

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, under Settings, choose RDS Protection.

  3. The RDS Protection page shows the current status for your account. You may enable or disable the feature at any time by selecting Enable or Disable. Confirm your selection.

Configuring RDS Protection in multiple-account environments

In a multiple-account environment, only the GuardDuty delegated administrator account has the option to enable or disable the RDS Protection feature for the member accounts in their organization. The GuardDuty member accounts can't modify this configuration from their accounts. The delegated administrator account manages their member accounts using Amazon Organizations. This delegated administrator can choose to auto-enable RDS login activity monitoring for all the new accounts as they join the organization. For more information about multiple-account environments, see Managing multiple accounts in Amazon GuardDuty.

Configuring RDS Protection for delegated administrator

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

    Make sure to use the management account credentials.

  2. In the navigation pane, choose RDS Protection.

  3. On the RDS Protection page, choose Enable or Disable to enable or disable the RDS Login Activity Monitoring.

    Confirm your selection.

Auto-enable RDS Protection for existing member accounts

Note

This functionality is only available to a GuardDuty delegated administrator account incorporated through Amazon Organizations.

The delegated administrator can enable the RDS Protection feature for existing member accounts in an organization.

To auto-enable RDS Protection for existing member accounts
  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

    Make sure to use the delegated administrator account credentials.

  2. In the navigation pane, under Settings, choose RDS Protection.

  3. On the RDS Protection page, choose Enable all to enable RDS Login Activity Monitoring for all the member accounts.

    By default, this action automatically turns on the Auto-enable GuardDuty and RDS Login Activity Monitoring for new member accounts option.

    If you can't use the Enable all option, see Selectively enable or disable RDS Protection for member accounts.

  4. Confirm your selection. You can now view the number of active member accounts in your organization that have RDS Login Activity Monitoring enabled.

Auto-enable RDS Protection for new member accounts

Note

This functionality is only available to a GuardDuty delegated administrator account incorporated through Amazon Organizations.

The delegated administrator can enable RDS Login Activity Monitoring for new member accounts in an organization through the console, using either the RDS Protection or Accounts page.

To auto-enable RDS Protection for new member accounts
  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

    Make sure to use the delegated administrator account credentials.

  2. Do one of the following:

    • Using the RDS Protection page:

      1. In the navigation pane, under Settings, choose RDS Protection.

      2. On the RDS Protection page, turn on Auto-enable RDS Login Activity Monitoring for new member accounts.

    • Using the Accounts page:

      1. In the navigation pane, under Settings, choose Accounts.

      2. On the Accounts page, next to the refresh icon ( ), choose Auto-enable.

      3. In the Auto-enable GuardDuty and set source preferences configuration, make sure that Auto-enable GuardDuty for all accounts added to your organization is turned on.

      4. You can now turn on Enable RDS Login Activity Monitoring for new member accounts.

Selectively enable or disable RDS Protection for member accounts

Note

This functionality is only available to a GuardDuty delegated administrator incorporated through Amazon Organizations.

You can selectively enable or disable monitoring RDS login activity for a member account through the console.

To selectively enable or disable RDS Protection for member accounts
  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

    Make sure to use the delegated administrator account credentials.

  2. In the navigation pane, under Settings, choose Accounts.

    On the Accounts page, review the RDS login activity column. A green checkmark icon ( ) indicates that RDS login activity monitoring is enabled, and a blue dash icon ( ) indicates that RDS login activity monitoring is disabled.

  3. Choose the account that you want to configure for RDS Protection. You can choose multiple accounts at a time. From the Actions dropdown menu, choose Enable RDS Login Activity Monitoring or Disable RDS Login Activity Monitoring to enable or disable monitoring RDS login activity.