AWS Amazon RDS Security Group
This page shows how to write Terraform and CloudFormation for Amazon RDS Security Group and write them securely.
aws_db_security_group (Terraform)
The Security Group in Amazon RDS can be configured in Terraform with the resource name aws_db_security_group
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_db_security_group" "rdsHostsHigherThan256" {
name = "rds_sg"
ingress {
cidr = "192.164.0.0/23"
}
resource "aws_db_security_group" "rdsHostsHigherThan256" {
name = "rds_sg"
ingress {
cidr = "192.164.0.0/23"
}
resource "aws_db_security_group" "rdsHostsHigherThan256" {
name = "rds_sg"
ingress {
cidr = "10.164.0.0/32"
}
resource "aws_db_security_group" "rdsHostsHigherThan256" {
name = "rds_sg"
ingress {
cidr = "192.164.0.0/23"
}
resource "aws_db_security_group" "rdsHostsHigherThan256" {
name = "rds_sg"
ingress {
cidr = "10.164.0.0/32"
}
Parameters
-
arn
optional computed - string -
description
optional - string -
id
optional computed - string -
name
required - string -
tags
optional - map from string to string -
ingress
set block-
cidr
optional - string -
security_group_id
optional computed - string -
security_group_name
optional computed - string -
security_group_owner_id
optional computed - string
-
Explanation in Terraform Registry
Provides an RDS security group resource. This is only for DB instances in the EC2-Classic Platform. For instances inside a VPC, use the
aws_db_instance.vpc_security_group_ids
attribute instead.
Tips: Best Practices for The Other AWS Amazon RDS Resources
In addition to the aws_db_instance, AWS Amazon RDS has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_db_instance
Ensure backup retension of your RDS instance is specified
It's better to set it explicitly to reduce the risk of availability issues.
aws_rds_cluster
Ensure backup retension of your RDS cluster is specified
It's better to set it explicitly to reduce the risk of availability issues.
aws_rds_cluster_instance
Ensure your RDS cluster instance blocks unwanted access
It's better to limit accessibily to the minimum that is required for the application to work.
AWS::RDS::DBSecurityGroup (CloudFormation)
The DBSecurityGroup in RDS can be configured in CloudFormation with the resource name AWS::RDS::DBSecurityGroup
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: Ingress for CIDRIP
DBSecurityGroupIngress:
CIDRIP: 192.168.0.0/32
DBInstance:
Type: 'AWS::RDS::DBSecurityGroup'
Condition: Is-EC2-Classic
Properties:
DBSecurityGroupIngress:
EC2SecurityGroupName: !Ref EC2SecurityGroup
GroupDescription: database access
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: Ingress for CIDRIP
DBSecurityGroupIngress:
CIDRIP: "192.168.0.0/32"
Type: 'AWS::RDS::DBSecurityGroup'
Condition: Is-EC2-Classic
Properties:
DBSecurityGroupIngress:
EC2SecurityGroupName: !Ref EC2SecurityGroup
GroupDescription: database access
Type: 'AWS::RDS::DBSecurityGroup'
Properties:
DBSecurityGroupIngress:
EC2SecurityGroupName: !Ref EC2SecurityGroup
GroupDescription: database access
EC2Test:
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"EC2VpcId": {
"Ref": "VpcId"
},
"DBSecurityGroupIngress": [
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"EC2VpcId": {
"Ref": "VpcId"
},
"DBSecurityGroupIngress": [
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "DB Access from WebServer Instances",
"DBSecurityGroupIngress": {
"EC2SecurityGroupName": { "Ref": "WebServerSecurityGroup"}
}
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"GroupDescription": "Ingress for CIDRIP",
"DBSecurityGroupIngress": {
"CIDRIP": "192.168.0.0/32"
}
"Type": "AWS::RDS::DBSecurityGroup"
},
"GhapOAuth2DBSecurityGroup": {
"Properties": {
"DBSecurityGroupIngress": [
{ "EC2SecurityGroupId": { "Ref": "GhapBeanstalkSecurityGroup" } },
Parameters
-
DBSecurityGroupIngress
required - List of Ingress -
EC2VpcId
optional - String -
GroupDescription
required - String -
Tags
optional - List of Tag
Explanation in CloudFormation Registry
The
AWS::RDS::DBSecurityGroup
resource creates or updates an Amazon RDS DB security group.Note DB security groups are a part of the EC2-Classic Platform and as such are not supported in all regions. It is advised to use the
AWS::EC2::SecurityGroup
resource in those regions instead. To determine which platform you are on, see Determining Whether You Are Using the EC2-VPC or EC2-Classic Platform. For more information on theAWS::EC2::SecurityGroup
, see the documentation for EC2 security groups.
Frequently asked questions
What is AWS Amazon RDS Security Group?
AWS Amazon RDS Security Group is a resource for Amazon RDS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon RDS Security Group?
For Terraform, the storebot/pr_demo_flat, patilpankaj212/terrascan-policies and patilpankaj212/terrascan-policies source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the neillturner/cfndsl_examples, helloanh/cloud-formation-template and ShilpaChaudhary-git/WordPress source code examples are useful. See the CloudFormation Example section for further details.