Free AWS Security Whitepaper
    Toc Consulting Logo
    Back to all tools

    RDS Security Scanner

    Production-ready RDS and Aurora security scanner with multi-framework compliance mapping

    A comprehensive, production-ready AWS RDS and Aurora security scanner with 53 security checks across 7 categories and compliance mapping for AWS FSBP, a CIS-based RDS hardening baseline, PCI DSS, HIPAA, SOC 2, ISO 27001/27017/27018, GDPR, and NIST SP 800-53 Rev5 (10 frameworks, 201 controls total). Features an Aurora-aware four-tier scan, customer-managed KMS key detection, and engine-aware SSL/TLS analysis.

    View on GitHub

    Features

    Security Analysis (7 categories, 53 checks)

    • Encryption: at-rest, snapshot, SSL/TLS enforcement, customer-managed KMS CMK
    • Network & Access: public accessibility, SG 0.0.0.0/0, IAM database auth, public snapshots
    • Logging & Monitoring: CloudWatch Logs, Enhanced Monitoring, Performance Insights, activity streams
    • Backup & Recovery: retention >= 7 days, deletion protection, Multi-AZ, Aurora backtrack
    • Maintenance: auto minor version upgrade, pending maintenance actions
    • Configuration & Tagging: parameter groups, Secrets Manager creds, RDS Proxy TLS, required tags

    Compliance

    • AWS FSBP (45 controls)
    • CIS-based RDS hardening baseline (20 controls)
    • PCI DSS v4.0.1 (15 controls)
    • HIPAA Security Rule (17 controls)
    • SOC 2 (18 controls)
    • ISO 27001/27017/27018
    • GDPR (13 controls), NIST 800-53 Rev5 (31 controls)

    Output

    • Security score 0-100 per resource
    • JSON, CSV, HTML reports + compliance JSON
    • Interactive Chart.js dashboards
    • Read-only: 16 describe-only IAM actions

    Installation & Usage

    PyPI Installation

    pip install rds-security-scanner

    Docker

    docker pull tarekcheikh/rds-security-scanner:latest

    Commands

    # Scan all RDS instances and Aurora clusters
rds-security-scanner security


# Scan with a specific profile / region
rds-security-scanner security -p production -r eu-west-1


# Scan a single instance, HTML output
rds-security-scanner security -i my-database -f html -o ./reports

    Security Checks

    Instance Storage Encryption DisabledCRITICAL
    Publicly Accessible InstanceCRITICAL
    Publicly Shared DB SnapshotCRITICAL
    Instance Not Deployed in a VPCCRITICAL
    No SSL/TLS EnforcementHIGH
    Security Group Open to 0.0.0.0/0 on DB PortHIGH
    Backup Retention Under 7 DaysHIGH
    Pending Maintenance ActionsHIGH
    No Customer-Managed KMS Key (CMK)MEDIUM
    Non-Default Database Port Not UsedMEDIUM

    Compliance Frameworks

    45 controls
    AWS FSBP
    20 controls
    CIS RDS Hardening Baseline
    15 controls
    PCI DSS v4.0.1
    17 controls
    HIPAA Security Rule
    18 controls
    SOC 2
    20 controls
    ISO 27001:2022
    13 controls
    GDPR
    31 controls
    NIST 800-53 Rev5

    Need Help Implementing?

    We can help you deploy and customize this tool for your specific needs, or build custom solutions.

    Contact Us