AWS Amazon RDS Security Group

This page shows how to write Terraform and CloudFormation for Amazon RDS Security Group and write them securely.

aws_db_security_group (Terraform)

The Security Group in Amazon RDS can be configured in Terraform with the resource name aws_db_security_group. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

dbsecuritygroup.tf#L1
resource "aws_db_security_group" "rdsHostsHigherThan256" {
  name = "rds_sg"

  ingress {
    cidr = "192.164.0.0/23"
  }
positive.tf#L6
resource "aws_db_security_group" "rdsHostsHigherThan256" {
  name = "rds_sg"

  ingress {
    cidr = "192.164.0.0/23"
  }
negative.tf#L6
resource "aws_db_security_group" "rdsHostsHigherThan256" {
  name = "rds_sg"

  ingress {
    cidr = "10.164.0.0/32"
  }
positive.tf#L6
resource "aws_db_security_group" "rdsHostsHigherThan256" {
  name = "rds_sg"

  ingress {
    cidr = "192.164.0.0/23"
  }
negative.tf#L6
resource "aws_db_security_group" "rdsHostsHigherThan256" {
  name = "rds_sg"

  ingress {
    cidr = "10.164.0.0/32"
  }

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Provides an RDS security group resource. This is only for DB instances in the EC2-Classic Platform. For instances inside a VPC, use the aws_db_instance.vpc_security_group_ids attribute instead.

Tips: Best Practices for The Other AWS Amazon RDS Resources

In addition to the aws_db_instance, AWS Amazon RDS has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_db_instance

Ensure backup retension of your RDS instance is specified

It's better to set it explicitly to reduce the risk of availability issues.

risk-label

aws_rds_cluster

Ensure backup retension of your RDS cluster is specified

It's better to set it explicitly to reduce the risk of availability issues.

risk-label

aws_rds_cluster_instance

Ensure your RDS cluster instance blocks unwanted access

It's better to limit accessibily to the minimum that is required for the application to work.

Review your AWS Amazon RDS settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::RDS::DBSecurityGroup (CloudFormation)

The DBSecurityGroup in RDS can be configured in CloudFormation with the resource name AWS::RDS::DBSecurityGroup. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

rds.yml#L25
    Type: AWS::RDS::DBSecurityGroup
    Properties:
      GroupDescription: Ingress for CIDRIP
      DBSecurityGroupIngress:
        CIDRIP: 192.168.0.0/32
  DBInstance:
ec2-rds-mysql.yml#L154
    Type: 'AWS::RDS::DBSecurityGroup'
    Condition: Is-EC2-Classic
    Properties:
      DBSecurityGroupIngress:
        EC2SecurityGroupName: !Ref EC2SecurityGroup
      GroupDescription: database access
RDSdatabase.yml#L15
  Type: AWS::RDS::DBSecurityGroup
  Properties:
    GroupDescription: Ingress for CIDRIP
    DBSecurityGroupIngress:
      CIDRIP: "192.168.0.0/32"
ec2-rds-mysql%20copy.yml#L144
    Type: 'AWS::RDS::DBSecurityGroup'
    Condition: Is-EC2-Classic
    Properties:
      DBSecurityGroupIngress:
        EC2SecurityGroupName: !Ref EC2SecurityGroup
      GroupDescription: database access
ec2-rds-mysql-with-params.yml#L107
    Type: 'AWS::RDS::DBSecurityGroup'
    Properties:
      DBSecurityGroupIngress:
        EC2SecurityGroupName: !Ref EC2SecurityGroup
      GroupDescription: database access
  EC2Test:
deploy.json#L5
            "Type": "AWS::RDS::DBSecurityGroup",
            "Properties": {
                "EC2VpcId": {
                    "Ref": "VpcId"
                },
                "DBSecurityGroupIngress": [
deploy.json#L5
            "Type": "AWS::RDS::DBSecurityGroup",
            "Properties": {
                "EC2VpcId": {
                    "Ref": "VpcId"
                },
                "DBSecurityGroupIngress": [
DatabaseSecurityGroup.json#L2
  "Type": "AWS::RDS::DBSecurityGroup",
  "Properties": {
    "GroupDescription": "DB Access from WebServer Instances",
    "DBSecurityGroupIngress": {
      "EC2SecurityGroupName": { "Ref": "WebServerSecurityGroup"}
    }
aws-cf-template-prod.json#L19
            "Type": "AWS::RDS::DBSecurityGroup",
            "Properties": {
                "GroupDescription": "Ingress for CIDRIP",
                "DBSecurityGroupIngress": {
                    "CIDRIP": "192.168.0.0/32"
                }
ghap-securitygroups.json#L117
      "Type": "AWS::RDS::DBSecurityGroup"
    },
    "GhapOAuth2DBSecurityGroup": {
      "Properties": {
        "DBSecurityGroupIngress": [
          { "EC2SecurityGroupId": { "Ref": "GhapBeanstalkSecurityGroup" } },

Parameters

Explanation in CloudFormation Registry

The AWS::RDS::DBSecurityGroup resource creates or updates an Amazon RDS DB security group.

Note DB security groups are a part of the EC2-Classic Platform and as such are not supported in all regions. It is advised to use the AWS::EC2::SecurityGroup resource in those regions instead. To determine which platform you are on, see Determining Whether You Are Using the EC2-VPC or EC2-Classic Platform. For more information on the AWS::EC2::SecurityGroup, see the documentation for EC2 security groups.

Frequently asked questions

What is AWS Amazon RDS Security Group?

AWS Amazon RDS Security Group is a resource for Amazon RDS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon RDS Security Group?

For Terraform, the storebot/pr_demo_flat, patilpankaj212/terrascan-policies and patilpankaj212/terrascan-policies source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the neillturner/cfndsl_examples, helloanh/cloud-formation-template and ShilpaChaudhary-git/WordPress source code examples are useful. See the CloudFormation Example section for further details.