Skip to content

TocConsulting/rds-security-scanner

Repository files navigation

rds-security-scanner

PyPI version Downloads Docker Docker Pulls License: MIT Python AWS

A comprehensive, production-ready AWS RDS / Aurora security scanner with multi-framework compliance mapping. Audits RDS instances, Aurora clusters, database snapshots, and account-level database settings for security vulnerabilities and compliance violations across CIS, AWS FSBP, PCI-DSS, HIPAA, SOC 2, ISO frameworks, GDPR and NIST 800-53.

Features

  • 53 security checks across 7 categories
  • 10 compliance frameworks with 201 controls
  • Four-tier scanning: Account -> Standalone Instance -> Aurora Cluster -> Aurora Member
  • Aurora-aware: Handles Aurora clusters and member instances separately to prevent double-counting
  • Engine-specific: Adapts checks for MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Aurora variants
  • Multi-format reports: JSON, CSV, HTML dashboard, compliance JSON
  • Parallel scanning with configurable thread pool
  • Fail-closed defaults: Missing data assumes the worst

Security Checks

Category Checks Examples
A. Encryption 8 Storage encryption, SSL/TLS enforcement, KMS CMK, CA certificates
B. Network & Access 10 Public access, security groups, IAM auth, snapshot sharing
C. Logging & Monitoring 10 CloudWatch Logs, Enhanced Monitoring, Performance Insights, event subscriptions
D. Backup & Recovery 9 Retention period, deletion protection, Multi-AZ, backtrack
E. Maintenance 3 Auto minor version upgrade, pending maintenance
F. Configuration 6 Default parameter groups, Secrets Manager, VPC, RDS Proxy
G. Tagging 7 Instance, cluster, snapshot, subnet group, parameter group tags

See security-checks.md for the full check catalog.

Compliance Frameworks

Framework Controls
AWS Foundational Security Best Practices 45
CIS-Based RDS Hardening Baseline 20
PCI DSS v4.0.1 15
HIPAA Security Rule (§164) 17
SOC 2 (AICPA TSC 2017) 18
ISO 27001:2022 20
ISO 27017:2015 12
ISO 27018:2019 (conceptual mapping) 10
GDPR (EU 2016/679) 13
NIST 800-53 Rev 5 31

See compliance.md for the full mapping.

Quick Start

Installation

pip install .

Basic Usage

# Scan all RDS resources in us-east-1
rds-security-scanner security

# Use a specific AWS profile and region
rds-security-scanner security -p production -r eu-west-1

# Scan specific instances
rds-security-scanner security -i my-database

# Scan specific Aurora clusters
rds-security-scanner security -c my-aurora-cluster

# HTML report only
rds-security-scanner security -f html -o ./reports

# Compliance-focused output
rds-security-scanner security --compliance-only

# Parallel workers and debug mode
rds-security-scanner security -w 10 -d

Docker

docker build -t rds-security-scanner .

docker run --rm \
  -v ~/.aws:/root/.aws:ro \
  -v $(pwd)/output:/app/output \
  rds-security-scanner security -r us-east-1

Output Formats

Format File Description
JSON rds_scan_{region}_{timestamp}.json Full results with summary
CSV rds_scan_{region}_{timestamp}.csv Flattened per-resource rows
HTML rds_scan_{region}_{timestamp}.html Interactive dashboard with charts
Compliance rds_compliance_{region}_{timestamp}.json Per-framework breakdown

Scoring

Each resource starts at 100 points. Deductions are applied per failed check:

Severity Deduction Example Checks
CRITICAL -20 Encryption disabled, publicly accessible, public snapshots
HIGH -10 to -15 SSL not enforced, no backups, no Multi-AZ, SG unrestricted
MEDIUM -5 to -8 Default port, no CMK, no Performance Insights, default params
LOW -2 to -3 Missing tags, copy-tags-to-snapshot disabled

Score is clamped to a minimum of 0.

IAM Permissions

The scanner requires read-only access. Minimum IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances",
                "rds:DescribeDBClusters",
                "rds:DescribeDBSnapshots",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBSnapshotAttributes",
                "rds:DescribeDBClusterSnapshotAttributes",
                "rds:DescribeEventSubscriptions",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBClusterParameterGroups",
                "rds:DescribeDBClusterParameters",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeDBProxies",
                "rds:DescribeOptionGroups",
                "rds:DescribeOptionGroupOptions",
                "rds:DescribePendingMaintenanceActions",
                "rds:ListTagsForResource",
                "ec2:DescribeSecurityGroups",
                "kms:DescribeKey",
                "sts:GetCallerIdentity"
            ],
            "Resource": "*"
        }
    ]
}

kms:DescribeKey is used by check A.7 (CMK usage) to reliably distinguish customer-managed keys from AWS-managed keys (KeyManager property). If you cannot grant it, the scanner falls back to the StorageEncryptionType heuristic and the result will be reported as "unknown" for resources encrypted with a non-default KMS key whose KeyManager cannot be inspected.

Development

# Create virtual environment
python -m venv venv
source venv/bin/activate

# Install with dev dependencies
pip install -e ".[dev]"

# Run tests
pytest tests/ -v

# Run with coverage
pytest tests/ --cov=rds_security_scanner --cov-report=term-missing

# Format code
black rds_security_scanner/ tests/

# Lint
flake8 rds_security_scanner/ tests/

Architecture

rds-security-scanner/
├── rds_security_scanner/
│   ├── __init__.py          # Package metadata
│   ├── cli.py               # Click CLI with shared option decorators
│   ├── scanner.py           # Main orchestrator (4-tier architecture)
│   ├── compliance.py        # 10 frameworks, 201 lambda-based controls
│   ├── utils.py             # Scoring, logging, utilities
│   ├── html_reporter.py     # Jinja2 HTML dashboard generator
│   ├── checks/
│   │   ├── base.py          # BaseChecker with thread-safe session factory
│   │   ├── encryption.py    # Checks A.1-A.8
│   │   ├── network_access.py # Checks B.1-B.10
│   │   ├── logging_monitoring.py # Checks C.1-C.10
│   │   ├── backup_recovery.py # Checks D.1-D.9
│   │   ├── maintenance.py   # Checks E.1-E.3
│   │   ├── configuration.py # Checks F.1-F.6
│   │   └── tagging.py       # Checks G.1-G.7
│   └── templates/
│       └── report.html      # HTML report template
└── tests/                   # 12 test files, 154 tests

License

MIT License - see LICENSE for details.

Author

Toc Consulting - tarek@tocconsulting.fr

About

AWS RDS/Aurora security scanner: 53 checks across 7 categories (encryption, TLS enforcement, public access, IAM auth, backups, Multi-AZ), compliance mapping for 10 frameworks

Topics

Resources

License

Contributing

Stars

Watchers

Forks

Packages

 
 
 

Contributors