A comprehensive, production-ready AWS RDS / Aurora security scanner with multi-framework compliance mapping. Audits RDS instances, Aurora clusters, database snapshots, and account-level database settings for security vulnerabilities and compliance violations across CIS, AWS FSBP, PCI-DSS, HIPAA, SOC 2, ISO frameworks, GDPR and NIST 800-53.
- 53 security checks across 7 categories
- 10 compliance frameworks with 201 controls
- Four-tier scanning: Account -> Standalone Instance -> Aurora Cluster -> Aurora Member
- Aurora-aware: Handles Aurora clusters and member instances separately to prevent double-counting
- Engine-specific: Adapts checks for MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Aurora variants
- Multi-format reports: JSON, CSV, HTML dashboard, compliance JSON
- Parallel scanning with configurable thread pool
- Fail-closed defaults: Missing data assumes the worst
| Category | Checks | Examples |
|---|---|---|
| A. Encryption | 8 | Storage encryption, SSL/TLS enforcement, KMS CMK, CA certificates |
| B. Network & Access | 10 | Public access, security groups, IAM auth, snapshot sharing |
| C. Logging & Monitoring | 10 | CloudWatch Logs, Enhanced Monitoring, Performance Insights, event subscriptions |
| D. Backup & Recovery | 9 | Retention period, deletion protection, Multi-AZ, backtrack |
| E. Maintenance | 3 | Auto minor version upgrade, pending maintenance |
| F. Configuration | 6 | Default parameter groups, Secrets Manager, VPC, RDS Proxy |
| G. Tagging | 7 | Instance, cluster, snapshot, subnet group, parameter group tags |
See security-checks.md for the full check catalog.
| Framework | Controls |
|---|---|
| AWS Foundational Security Best Practices | 45 |
| CIS-Based RDS Hardening Baseline | 20 |
| PCI DSS v4.0.1 | 15 |
| HIPAA Security Rule (§164) | 17 |
| SOC 2 (AICPA TSC 2017) | 18 |
| ISO 27001:2022 | 20 |
| ISO 27017:2015 | 12 |
| ISO 27018:2019 (conceptual mapping) | 10 |
| GDPR (EU 2016/679) | 13 |
| NIST 800-53 Rev 5 | 31 |
See compliance.md for the full mapping.
pip install .# Scan all RDS resources in us-east-1
rds-security-scanner security
# Use a specific AWS profile and region
rds-security-scanner security -p production -r eu-west-1
# Scan specific instances
rds-security-scanner security -i my-database
# Scan specific Aurora clusters
rds-security-scanner security -c my-aurora-cluster
# HTML report only
rds-security-scanner security -f html -o ./reports
# Compliance-focused output
rds-security-scanner security --compliance-only
# Parallel workers and debug mode
rds-security-scanner security -w 10 -ddocker build -t rds-security-scanner .
docker run --rm \
-v ~/.aws:/root/.aws:ro \
-v $(pwd)/output:/app/output \
rds-security-scanner security -r us-east-1| Format | File | Description |
|---|---|---|
| JSON | rds_scan_{region}_{timestamp}.json |
Full results with summary |
| CSV | rds_scan_{region}_{timestamp}.csv |
Flattened per-resource rows |
| HTML | rds_scan_{region}_{timestamp}.html |
Interactive dashboard with charts |
| Compliance | rds_compliance_{region}_{timestamp}.json |
Per-framework breakdown |
Each resource starts at 100 points. Deductions are applied per failed check:
| Severity | Deduction | Example Checks |
|---|---|---|
| CRITICAL | -20 | Encryption disabled, publicly accessible, public snapshots |
| HIGH | -10 to -15 | SSL not enforced, no backups, no Multi-AZ, SG unrestricted |
| MEDIUM | -5 to -8 | Default port, no CMK, no Performance Insights, default params |
| LOW | -2 to -3 | Missing tags, copy-tags-to-snapshot disabled |
Score is clamped to a minimum of 0.
The scanner requires read-only access. Minimum IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"rds:DescribeDBSnapshots",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeEventSubscriptions",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBClusterParameterGroups",
"rds:DescribeDBClusterParameters",
"rds:DescribeDBSubnetGroups",
"rds:DescribeDBProxies",
"rds:DescribeOptionGroups",
"rds:DescribeOptionGroupOptions",
"rds:DescribePendingMaintenanceActions",
"rds:ListTagsForResource",
"ec2:DescribeSecurityGroups",
"kms:DescribeKey",
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}
kms:DescribeKeyis used by check A.7 (CMK usage) to reliably distinguish customer-managed keys from AWS-managed keys (KeyManagerproperty). If you cannot grant it, the scanner falls back to theStorageEncryptionTypeheuristic and the result will be reported as "unknown" for resources encrypted with a non-default KMS key whoseKeyManagercannot be inspected.
# Create virtual environment
python -m venv venv
source venv/bin/activate
# Install with dev dependencies
pip install -e ".[dev]"
# Run tests
pytest tests/ -v
# Run with coverage
pytest tests/ --cov=rds_security_scanner --cov-report=term-missing
# Format code
black rds_security_scanner/ tests/
# Lint
flake8 rds_security_scanner/ tests/rds-security-scanner/
├── rds_security_scanner/
│ ├── __init__.py # Package metadata
│ ├── cli.py # Click CLI with shared option decorators
│ ├── scanner.py # Main orchestrator (4-tier architecture)
│ ├── compliance.py # 10 frameworks, 201 lambda-based controls
│ ├── utils.py # Scoring, logging, utilities
│ ├── html_reporter.py # Jinja2 HTML dashboard generator
│ ├── checks/
│ │ ├── base.py # BaseChecker with thread-safe session factory
│ │ ├── encryption.py # Checks A.1-A.8
│ │ ├── network_access.py # Checks B.1-B.10
│ │ ├── logging_monitoring.py # Checks C.1-C.10
│ │ ├── backup_recovery.py # Checks D.1-D.9
│ │ ├── maintenance.py # Checks E.1-E.3
│ │ ├── configuration.py # Checks F.1-F.6
│ │ └── tagging.py # Checks G.1-G.7
│ └── templates/
│ └── report.html # HTML report template
└── tests/ # 12 test files, 154 tests
MIT License - see LICENSE for details.
Toc Consulting - tarek@tocconsulting.fr
