@turbot/aws-rds

The aws-rds mod contains resource, control and policy definitions for AWS RDS service.

Resource Types

Resource types covered by this mod:

Permissions

Taking a look at permissions and associated grant levels for each permission for RDS:

Permission	Grant Level	Help
cloudwatch:DescribeAlarms	Metadata	http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
cloudwatch:GetMetricData	Metadata
cloudwatch:GetMetricStatistics	Metadata	http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
dbqms:CreateFavoriteQuery	Admin
dbqms:CreateQueryHistory	Admin
dbqms:CreateTab	Admin
dbqms:DeleteFavoriteQueries	Admin
dbqms:DeleteQueryHistory	Admin
dbqms:DeleteTab	Admin
dbqms:DescribeFavoriteQueries	Metadata
dbqms:DescribeQueryHistory	Metadata
dbqms:DescribeTabs	Metadata
dbqms:GetQueryString	Metadata
dbqms:UpdateFavoriteQuery	Admin
dbqms:UpdateQueryHistory	Admin
dbqms:UpdateTab	Admin
ec2:DescribeAccountAttributes	Metadata	http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
ec2:DescribeAvailabilityZones	Metadata	http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
ec2:DescribeSecurityGroups	Metadata	http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
ec2:DescribeSubnets	Metadata	http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
ec2:DescribeVpcs	Metadata	http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
iam:ListRoles	Metadata
iam:PassRole	Admin	Required to attach rds-monitoring-role while creating new rds clusters.
kms:ListAliases	Metadata
pi:CreatePerformanceAnalysisReport	Admin	Performance Insights
pi:DeletePerformanceAnalysisReport	Admin
pi:DescribeDimensionKeys	Metadata
pi:GetDimensionKeyDetails	Metadata
pi:GetPerformanceAnalysisReport	Metadata
pi:GetResourceMetadata	Metadata
pi:GetResourceMetrics	Metadata
pi:ListAvailableResourceDimensions	Metadata
pi:ListAvailableResourceMetrics	Metadata
pi:ListPerformanceAnalysisReports	Metadata
pi:ListTagsForResource	Metadata
pi:TagResource	Operator
pi:UntagResource	Operator
ram:GetResourceShares	Metadata
ram:ListResources	Metadata
rds-data:BatchExecuteStatement	Admin
rds-data:BeginTransaction	Admin
rds-data:CommitTransaction	Admin
rds-data:ExecuteSql	Admin
rds-data:ExecuteStatement	Admin
rds-data:RollbackTransaction	Admin
rds-db:connect	Admin
rds:AddRoleToDBCluster	Admin
rds:AddRoleToDBInstance	Admin
rds:AddSourceIdentifierToSubscription	Operator
rds:AddTagsToResource	Operator
rds:ApplyPendingMaintenanceAction	Operator
rds:AuthorizeDBSecurityGroupIngress	Admin	You can't authorize ingress from an EC2 security group in one AWS Region to an Amazon RDS DB instance in another. You can't authorize ingress from a VPC security group in one VPC to an Amazon RDS DB instance in another.
rds:BacktrackDBCluster	Admin
rds:CancelExportTask	Admin
rds:CopyDBClusterParameterGroup	Admin
rds:CopyDBClusterSnapshot	Operator
rds:CopyDBParameterGroup	Admin
rds:CopyDBSnapshot	Operator
rds:CopyOptionGroup	Admin
rds:CreateCustomAvailabilityZone	Admin
rds:CreateCustomDBEngineVersion	Admin
rds:CreateDBCluster	Admin
rds:CreateDBClusterEndpoint	Admin
rds:CreateDBClusterParameterGroup	Admin
rds:CreateDBClusterSnapshot	Operator
rds:CreateDBInstance	Admin
rds:CreateDBInstanceReadReplica	Admin
rds:CreateDBParameterGroup	Admin
rds:CreateDBProxy	Admin
rds:CreateDBProxyEndpoint	Admin
rds:CreateDBSecurityGroup	Admin	Admin can manage DB security group controls access to EC2-Classic DB instances that are not in a VPC.
rds:CreateDBSnapshot	Operator
rds:CreateDBSubnetGroup	Whitelist	Permission controlled by AWS > RDS > Subnet Group Management
rds:CreateEventSubscription	Operator
rds:CreateGlobalCluster	Admin
rds:CreateOptionGroup	Admin
rds:CrossRegionCommunication	Admin
rds:DeleteCustomAvailabilityZone	Admin
rds:DeleteCustomDBEngineVersion	Admin
rds:DeleteDBCluster	Admin
rds:DeleteDBClusterEndpoint	Admin
rds:DeleteDBClusterParameterGroup	Admin
rds:DeleteDBClusterSnapshot	Admin	Deletion of snapshots is limited to Admins even though Operators can create them.
rds:DeleteDBInstance	Admin
rds:DeleteDBInstanceAutomatedBackup	Admin	Admins can delete automated backups based on the source instance's DbiResourceId value or the restorable instance's resource ID.
rds:DeleteDBParameterGroup	Admin
rds:DeleteDBProxy	Admin
rds:DeleteDBProxyEndpoint	Admin
rds:DeleteDBSecurityGroup	Admin
rds:DeleteDBSnapshot	Admin	Deletion of snapshots is limited to Admins even though Operators can create them.
rds:DeleteDBSubnetGroup	Whitelist	Permission controlled by AWS > RDS > Subnet Group Management
rds:DeleteEventSubscription	Operator
rds:DeleteGlobalCluster	Admin
rds:DeleteInstallationMedia	Admin
rds:DeleteOptionGroup	Admin
rds:DeregisterDBProxyTargets	Admin
rds:DescribeAccountAttributes	Metadata
rds:DescribeCertificates	Metadata
rds:DescribeCustomAvailabilityZones	Metadata
rds:DescribeDBClusterBacktracks	Metadata
rds:DescribeDBClusterEndpoints	Metadata
rds:DescribeDBClusterParameterGroups	Metadata
rds:DescribeDBClusterParameters	Metadata
rds:DescribeDBClusters	Metadata
rds:DescribeDBClusterSnapshotAttributes	Metadata
rds:DescribeDBClusterSnapshots	Metadata
rds:DescribeDBEngineVersions	Metadata
rds:DescribeDBInstanceAutomatedBackups	Metadata
rds:DescribeDBInstances	Metadata
rds:DescribeDBLogFiles	Metadata
rds:DescribeDBParameterGroups	Metadata
rds:DescribeDBParameters	Metadata
rds:DescribeDBProxies	Metadata
rds:DescribeDBProxyEndpoints	Metadata
rds:DescribeDBProxyTargetGroups	Metadata
rds:DescribeDBProxyTargets	Metadata
rds:DescribeDBSecurityGroups	Metadata
rds:DescribeDBSnapshotAttributes	Metadata
rds:DescribeDBSnapshots	Metadata
rds:DescribeDBSubnetGroups	Metadata
rds:DescribeEngineDefaultClusterParameters	Metadata
rds:DescribeEngineDefaultParameters	Metadata
rds:DescribeEventCategories	Metadata
rds:DescribeEvents	Metadata
rds:DescribeEventSubscriptions	Metadata
rds:DescribeExportTasks	Metadata
rds:DescribeGlobalClusters	Metadata
rds:DescribeInstallationMedia	Metadata
rds:DescribeOptionGroupOptions	Metadata
rds:DescribeOptionGroups	Metadata
rds:DescribeOrderableDBInstanceOptions	Metadata
rds:DescribePendingMaintenanceActions	Metadata
rds:DescribeRecommendationGroups	Metadata
rds:DescribeRecommendations	Metadata
rds:DescribeReservedDBInstances	Metadata
rds:DescribeReservedDBInstancesOfferings	Metadata
rds:DescribeSourceRegions	Metadata
rds:DescribeValidDBInstanceModifications	Metadata
rds:DownloadCompleteDBLogFile	ReadOnly
rds:DownloadDBLogFilePortion	ReadOnly
rds:FailoverDBCluster	Operator
rds:FailoverGlobalCluster	Operator
rds:ImportInstallationMedia	Admin
rds:ListTagsForResource	Metadata
rds:ModifyCertificates	Admin
rds:ModifyCurrentDBClusterCapacity	Admin	Admins can set the capacity of an Aurora Serverless DB cluster to a specific value.
rds:ModifyCustomDBEngineVersion	Admin
rds:ModifyDBCluster	Admin
rds:ModifyDBClusterEndpoint	Admin	Admins can modify the properties of an endpoint in an Amazon Aurora DB cluster.
rds:ModifyDBClusterParameterGroup	Admin
rds:ModifyDBClusterSnapshotAttribute	Admin	Allows for cross-account access.
rds:ModifyDBInstance	Admin
rds:ModifyDBParameterGroup	Admin
rds:ModifyDBProxy	Admin
rds:ModifyDBProxyEndpoint	Admin
rds:ModifyDBProxyTargetGroup	Admin
rds:ModifyDBSnapshot	Operator	Can update a manual DB snapshot's engine version. Currently only supports MySQL.
rds:ModifyDBSnapshotAttribute	Admin	Allows for cross-account access.
rds:ModifyDBSubnetGroup	Whitelist	Permission controlled by AWS > RDS > Subnet Group Management
rds:ModifyEventSubscription	Operator
rds:ModifyGlobalCluster	Admin
rds:ModifyOptionGroup	Admin
rds:ModifyRecommendation	Admin
rds:PromoteReadReplica	Operator
rds:PromoteReadReplicaDBCluster	Operator
rds:PurchaseReservedDBInstancesOffering	Owner
rds:RebootDBCluster	Operator
rds:RebootDBInstance	Operator
rds:RegisterDBProxyTargets	Admin
rds:RemoveFromGlobalCluster	Admin
rds:RemoveRoleFromDBCluster	Admin
rds:RemoveRoleFromDBInstance	Admin
rds:RemoveSourceIdentifierFromSubscription	Operator
rds:RemoveTagsFromResource	Operator
rds:ResetDBClusterParameterGroup	Admin
rds:ResetDBParameterGroup	Admin
rds:RestoreDBClusterFromS3	Admin
rds:RestoreDBClusterFromSnapshot	Admin
rds:RestoreDBClusterToPointInTime	Admin
rds:RestoreDBInstanceFromDBSnapshot	Admin
rds:RestoreDBInstanceFromS3	Admin	Admin can create backup of there database and store it in s3.
rds:RestoreDBInstanceToPointInTime	Admin
rds:RevokeDBSecurityGroupIngress	Admin
rds:StartActivityStream	Operator
rds:StartDBCluster	Operator
rds:StartDBInstance	Operator
rds:StartDBInstanceAutomatedBackupsReplication	Operator
rds:StartExportTask	Operator
rds:StopActivityStream	Operator
rds:StopDBCluster	Operator
rds:StopDBInstance	Operator
rds:StopDBInstanceAutomatedBackupsReplication	Operator

Learn More About Guardrails

Recommended Version

Version

5.25.0

Released On

Sep 21, 2023

Depends On

@turbot/aws ^5.0.0
@turbot/turbot ^5.22.0
@turbot/turbot-iam ^5.1.0
@turbot/aws-iam ^5.1.0

Resource Types

Control Types

Policy Types

Release Notes

5.25.0 (2023-09-21)

What's new?

Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
AWS/RDS/Admin, AWS/RDS/Metadata and AWS/RDS/Operator now include permissions for Performance Insights.

5.24.0 (2023-06-05)

What's new?

Resource's metadata will now also include createdBy details in Guardrails CMDB.

5.23.0 (2023-05-17)

Resource Types

Added

AWS > RDS > Global Cluster

Control Types

Added

AWS > RDS > Global Cluster > Active
AWS > RDS > Global Cluster > Approved
AWS > RDS > Global Cluster > CMDB
AWS > RDS > Global Cluster > Discovery

Policy Types

Added

AWS > RDS > Global Cluster > Active
AWS > RDS > Global Cluster > Active > Age
AWS > RDS > Global Cluster > Active > Budget
AWS > RDS > Global Cluster > Active > Last Modified
AWS > RDS > Global Cluster > Approved
AWS > RDS > Global Cluster > Approved > Budget
AWS > RDS > Global Cluster > Approved > Custom
AWS > RDS > Global Cluster > Approved > Usage
AWS > RDS > Global Cluster > CMDB

Action Types

Added

AWS > RDS > Global Cluster > Delete
AWS > RDS > Global Cluster > Delete from AWS
AWS > RDS > Global Cluster > Router
AWS > RDS > Global Cluster > Skip alarm for Active control
AWS > RDS > Global Cluster > Skip alarm for Active control [90 days]
AWS > RDS > Global Cluster > Skip alarm for Approved control
AWS > RDS > Global Cluster > Skip alarm for Approved control [90 days]

5.22.9 (2023-03-31)

Bug fixes

The rds:RestoreDBInstanceToPointInTime real-time event was not processed correctly in Guardrails which would lead to restored DB Instances not getting upserted in Guardrails CMDB. This is fixed and the event will now be processed correctly.

5.22.8 (2023-02-10)

Bug fixes

Guardrails would sometimes upsert DB Cluster Snapshots [Manual] and DB Snapshots [Manual] with incorrect casing via real-time create events which could lead to duplicate resources in Guardrails CMDB. This is fixed and the resources will now be upserted correctly and smoothly than before.

5.22.7 (2022-11-25)

Bug fixes

Previously, for any missing DB Cluster Parameter Group, DB Parameter Group, Option Group or Subnet group in Guardrails, we would overlook and not process any of the real-time update events for such resources. From now on, for any such update event, we will try and discover all missing resources and upsert them into Guardrails CMDB to allow users to manage their resources more reliably and consistently than before.

5.22.6 (2022-11-08)

Bug fixes

Previously, for any missing DB cluster, DB instance, DB cluster snapshot, or a DB snapshot in Guardrails, we would overlook and not process any of the real-time update events for such resources. From now on, for any such update event, we will try and discover all missing resources and upsert them into Guardrails CMDB to allow users to manage their resources more reliably and consistently than before.

5.22.5 (2022-10-20)

Bug fixes

In v5.22.4, we fixed an issue in the AWS > RDS > DB Cluster > Discovery control which would incorrectly move to an error state while trying to discover Aurora MySQL 5.6 clusters in sa-east-1 region. It turns out that the Discovery control would go into an error state in other regions too because Aurora MySQL 5.6 clusters have been deprecated in AWS and are about to reach their end of life soon. We've fixed this issue and the Discovery control will now run smoothly in all applicable regions.

5.22.4 (2022-10-13)

Bug fixes

The AWS > RDS > DB Cluster > Discovery control would incorrectly move to an error state while trying to discover Aurora MySQL 5.6 clusters in sa-east-1 region. This is now fixed.

5.22.3 (2022-09-30)

Bug fixes

The AWS > RDS > DB Cluster > Schedule and AWS > RDS > DB Instance > Schedule controls would sometimes fail to start/stop a DB Cluster/DB Instance as defined in AWS > RDS > DB Cluster > Schedule or AWS > RDS > DB Instance > Schedule policies respectively. This is fixed and the controls will now start/stop resources more reliably and consistently than before.

5.22.2 (2022-09-09)

Bug fixes

The rds:ModifyDBInstance and rds:ModifyDBCluster real-time events were not processed correctly in Guardrails when the identifier of an instance/cluster was updated. This is fixed and the CMDB data for such instances/clusters will now be updated correctly.

5.22.1 (2022-07-13)

Bug fixes

The lambda functions for certain controls/actions would re-run unnecessarily whenever the mod version was updated. This has now been fixed.

5.22.0 (2022-07-12)

What's new?

Users can now perform quick actions on resources to remediate cloud configuration issues or skip Guardrails alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
README.md file is now available for users to check details about the resource types and service permissions that the mod covers.

Action Types

Added

AWS > RDS > DB Cluster > Disable Copy Tags To Snapshot
AWS > RDS > DB Cluster > Disable Deletion Protection
AWS > RDS > DB Cluster > Enable Copy Tags To Snapshot
AWS > RDS > DB Cluster > Enable Deletion Protection
AWS > RDS > DB Cluster > Set Tags
AWS > RDS > DB Cluster > Skip alarm for Active control
AWS > RDS > DB Cluster > Skip alarm for Active control [90 days]
AWS > RDS > DB Cluster > Skip alarm for Approved control
AWS > RDS > DB Cluster > Skip alarm for Approved control [90 days]
AWS > RDS > DB Cluster > Skip alarm for Tags control
AWS > RDS > DB Cluster > Skip alarm for Tags control [90 days]
AWS > RDS > DB Cluster > Snapshot and delete from AWS
AWS > RDS > DB Cluster > Start DB Cluster
AWS > RDS > DB Cluster > Stop DB Cluster
AWS > RDS > DB Cluster Parameter Group > Delete from AWS
AWS > RDS > DB Cluster Parameter Group > Set Tags
AWS > RDS > DB Cluster Parameter Group > Skip alarm for Active control
AWS > RDS > DB Cluster Parameter Group > Skip alarm for Active control [90 days]
AWS > RDS > DB Cluster Parameter Group > Skip alarm for Approved control
AWS > RDS > DB Cluster Parameter Group > Skip alarm for Approved control [90 days]
AWS > RDS > DB Cluster Parameter Group > Skip alarm for Tags control
AWS > RDS > DB Cluster Parameter Group > Skip alarm for Tags control [90 days]
AWS > RDS > DB Cluster Snapshot [Manual] > Delete from AWS
AWS > RDS > DB Cluster Snapshot [Manual] > Set Tags
AWS > RDS > DB Cluster Snapshot [Manual] > Skip alarm for Active control
AWS > RDS > DB Cluster Snapshot [Manual] > Skip alarm for Active control [90 days]
AWS > RDS > DB Cluster Snapshot [Manual] > Skip alarm for Approved control
AWS > RDS > DB Cluster Snapshot [Manual] > Skip alarm for Approved control [90 days]
AWS > RDS > DB Cluster Snapshot [Manual] > Skip alarm for Tags control
AWS > RDS > DB Cluster Snapshot [Manual] > Skip alarm for Tags control [90 days]
AWS > RDS > DB Instance > Disable Auto Minor Versions Upgrade
AWS > RDS > DB Instance > Disable Copy Tags To Snapshot
AWS > RDS > DB Instance > Disable Deletion Protection
AWS > RDS > DB Instance > Disable Multi AZ
AWS > RDS > DB Instance > Enable Auto Minor Versions Upgrade
AWS > RDS > DB Instance > Enable Copy Tags To Snapshot
AWS > RDS > DB Instance > Enable Deletion Protection
AWS > RDS > DB Instance > Enable Multi AZ
AWS > RDS > DB Instance > Reboot DB Instance
AWS > RDS > DB Instance > Set Tags
AWS > RDS > DB Instance > Skip alarm for Active control
AWS > RDS > DB Instance > Skip alarm for Active control [90 days]
AWS > RDS > DB Instance > Skip alarm for Approved control
AWS > RDS > DB Instance > Skip alarm for Approved control [90 days]
AWS > RDS > DB Instance > Skip alarm for Tags control
AWS > RDS > DB Instance > Skip alarm for Tags control [90 days]
AWS > RDS > DB Instance > Snapshot and delete from AWS
AWS > RDS > DB Instance > Start DB Instance
AWS > RDS > DB Instance > Stop DB Instance
AWS > RDS > DB Parameter Group > Delete from AWS
AWS > RDS > DB Parameter Group > Set Tags
AWS > RDS > DB Parameter Group > Skip alarm for Active control
AWS > RDS > DB Parameter Group > Skip alarm for Active control [90 days]
AWS > RDS > DB Parameter Group > Skip alarm for Approved control
AWS > RDS > DB Parameter Group > Skip alarm for Approved control [90 days]
AWS > RDS > DB Parameter Group > Skip alarm for Tags control
AWS > RDS > DB Parameter Group > Skip alarm for Tags control [90 days]
AWS > RDS > DB Snapshot [Manual] > Delete from AWS
AWS > RDS > DB Snapshot [Manual] > Set Tags
AWS > RDS > DB Snapshot [Manual] > Skip alarm for Active control
AWS > RDS > DB Snapshot [Manual] > Skip alarm for Active control [90 days]
AWS > RDS > DB Snapshot [Manual] > Skip alarm for Approved control
AWS > RDS > DB Snapshot [Manual] > Skip alarm for Approved control [90 days]
AWS > RDS > DB Snapshot [Manual] > Skip alarm for Tags control
AWS > RDS > DB Snapshot [Manual] > Skip alarm for Tags control [90 days]
AWS > RDS > Option Group > Delete from AWS
AWS > RDS > Option Group > Set Tags
AWS > RDS > Option Group > Skip alarm for Active control
AWS > RDS > Option Group > Skip alarm for Active control [90 days]
AWS > RDS > Option Group > Skip alarm for Approved control
AWS > RDS > Option Group > Skip alarm for Approved control [90 days]
AWS > RDS > Option Group > Skip alarm for Tags control
AWS > RDS > Option Group > Skip alarm for Tags control [90 days]
AWS > RDS > Subnet Group > Delete from AWS
AWS > RDS > Subnet Group > Set Tags
AWS > RDS > Subnet Group > Skip alarm for Active control
AWS > RDS > Subnet Group > Skip alarm for Active control [90 days]
AWS > RDS > Subnet Group > Skip alarm for Approved control
AWS > RDS > Subnet Group > Skip alarm for Approved control [90 days]
AWS > RDS > Subnet Group > Skip alarm for Tags control
AWS > RDS > Subnet Group > Skip alarm for Tags control [90 days]

5.21.0 (2022-02-16)

What's new?

Users can now create their own custom checks against resource attributes in the Approved control using the Approved > Custom policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.

Bug fixes

We've improved the process of deleting resources from Guardrails if their CMDB policy was set to Enforce: Disabled. The CMDB controls will now not look to resolve credentials via Guardrails' IAM role while deleting resources from Guardrails. This will allow the CMDB controls to process resource deletions from Guardrails more reliably than before.

Policy Types

Added

AWS > RDS > DB Cluster > Approved > Custom
AWS > RDS > DB Cluster Parameter Group > Approved > Custom
AWS > RDS > DB Cluster Snapshot [Manual] > Approved > Custom
AWS > RDS > DB Instance > Approved > Custom
AWS > RDS > DB Parameter Group > Approved > Custom
AWS > RDS > DB Snapshot [Manual] > Approved > Custom
AWS > RDS > Option Group > Approved > Custom
AWS > RDS > Subnet Group > Approved > Custom

5.20.3 (2022-01-28)

Bug fixes

The Schedule controls for DB Instance and DB Cluster would incorrectly go into a skipped state if their respective Schedule policies were set to Skip but their Schedule Tag policies were set to Enforce: Schedule per turbot_custom_schedule tag. This is fixed and the controls will now work as expected.

5.20.2 (2022-01-27)

Bug fixes

The AWS > RDS > DB Cluster > CMDB control would sometimes fail to update the Status of a DB Cluster correctly due to being triggered too quickly after the cluster was stopped or started by the AWS > RDS > DB Cluster > Schedule control. This would lead to the schedule control being inconsistent in its behavior. The AWS > RDS > DB Cluster > CMDB control will now re-trigger after 2 minutes if a DB Cluster is stopped or started, to reflect its correct status in Guardrails CMDB.

5.20.1 (2022-01-20)

Bug fixes

The AWS > RDS > DB Cluster > Schedule and AWS > RDS > DB Instance > Schedule controls would incorrectly go into an error state if the corresponding CMDB controls were in error and the AWS > RDS > DB Cluster > Schedule and AWS > RDS > DB Instance > Schedule policies were set to Skip, respectively. This is fixed and the controls will now work as expected.

5.20.0 (2021-12-24)

What's new?

AWS/RDS/Admin AWS/RDS/Metadata AWS/RDS/Operator now includes permissions for Custom Availability Zone, DB Proxy, Custom DB Engine Version, DB Instance Automated Backups Replication and DBQMS permissions for Tabs.

5.19.0 (2021-11-11)

Control Types

Added

AWS > RDS > DB Instance > Performance Insights

Policy Types

Added

AWS > RDS > DB Instance > Performance Insights
AWS > RDS > DB Instance > Performance Insights > KMS Key
AWS > RDS > DB Instance > Performance Insights > Retention Period

Action Types

Added

AWS > RDS > DB Instance > Update Performance Insights

5.18.0 (2021-10-27)

Control Types

Added

AWS > RDS > DB Cluster > Logs Export Configuration
AWS > RDS > DB Instance > Logs Export Configuration

Policy Types

Added

AWS > RDS > DB Cluster > Logs Export Configuration
AWS > RDS > DB Cluster > Logs Export Configuration > Log Types
AWS > RDS > DB Instance > Logs Export Configuration
AWS > RDS > DB Instance > Logs Export Configuration > Log Types

Action Types

Added

AWS > RDS > DB Cluster > Update Logs Export Configuration
AWS > RDS > DB Instance > Update Logs Export Configuration

5.17.0 (2021-08-04)

Control Types

Added

AWS > RDS > DB Cluster > Copy Tags to Snapshot
AWS > RDS > DB Cluster > Deletion Protection
AWS > RDS > DB Instance > Auto Minor Version Upgrade
AWS > RDS > DB Instance > Copy Tags to Snapshot
AWS > RDS > DB Instance > Deletion Protection
AWS > RDS > DB Instance > Multi-AZ

Policy Types

Added

AWS > RDS > DB Cluster > Copy Tags to Snapshot
AWS > RDS > DB Cluster > Deletion Protection
AWS > RDS > DB Instance > Auto Minor Version Upgrade
AWS > RDS > DB Instance > Copy Tags to Snapshot
AWS > RDS > DB Instance > Deletion Protection
AWS > RDS > DB Instance > Multi-AZ

Action Types

Added

AWS > RDS > DB Cluster > Update Copy Tags to Snapshot
AWS > RDS > DB Cluster > Update Deletion Protection
AWS > RDS > DB Instance > Update Auto Minor Version Upgrade
AWS > RDS > DB Instance > Update Copy Tags to Snapshot
AWS > RDS > DB Instance > Update Deletion Protection
AWS > RDS > DB Instance > Update Multi-AZ

5.16.1 (2021-07-28)

Bug fixes

The DB Instance CMDB data did not update automatically after listening to the rds:ModifyDBInstance event. This is now fixed.

5.16.0 (2021-07-20)

What's new?

AWS/RDS/Admin and AWS/RDS/Metadata now includes DBQMS permissions for favorite query and query history and RDS-Data permissions to execute SQL statements.

5.15.0 (2021-07-09)

What's new?

We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.14.0 (2021-06-28)

Control Types

Added

AWS > RDS > DB Cluster > Backup Retention Period
AWS > RDS > DB Instance > Backup Retention Period

Policy Types

Added

AWS > RDS > DB Cluster > Backup Retention Period
AWS > RDS > DB Cluster > Backup Retention Period > Days
AWS > RDS > DB Instance > Backup Retention Period
AWS > RDS > DB Instance > Backup Retention Period > Days

Action Types

Added

AWS > RDS > DB Cluster > Update Backup Retention Period
AWS > RDS > DB Instance > Update Backup Retention Period

5.13.0 (2021-06-24)

What's new?

AWS/RDS/Admin now includes global cluster, activity stream, RDS data, and performance insights permissions.
AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-rds policy now includes pi:*, rds-data:*, and rds-db:*.

5.12.0 (2021-04-23)

What's new?

AWS > RDS > DB Instance > Approved control will now run faster when in the tbd and skipped states thanks to the new Guardrails Precheck feature (not to be confused with TSA PreCheck). With Guardrails Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.
We've improved the state reasons and details tables in the Approved and Active controls for resources like DB cluster, DB instance and DB cluster parameter group to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

5.11.0 (2021-03-26)

What's new?

We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.

Bug fixes

The AWS > RDS > DB Instance > Discovery control would go into an error state for a few regions regions since oracle-se and oracle-se1 engines are not supported in these regions. This is now fixed.

Policy Types

Renamed

AWS > RDS > DB Instance > Parameter Group > Parameter Group Name to AWS > RDS > DB Instance > Parameter Group > Name
AWS > RDS > DB Instance > DB Instance Publicly Accessible to AWS > RDS > DB Instance > Publicly Accessible

5.10.2 (2021-01-14)

Bug fixes

There were a number of policies available for DB instances which were not associated with any controls and had no effect on any resources. These policies have been removed to remove any confusion around them.
Controls run faster now when in the tbd and skipped states thanks to the new Guardrails Precheck feature (not to be confused with TSA PreCheck). With Guardrails Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.

Policy Types

Removed

AWS > RDS > DB Instance > DB Free Storage Space Alarm
AWS > RDS > DB Instance > Parameters
AWS > RDS > DB Instance > Parameters > Audit Logging
AWS > RDS > Database Backup
AWS > RDS > Database Backup > Protection
AWS > RDS > Database Backup > Snapshot Name Prefix

5.10.1 (2020-12-09)

Bug fixes

Controls run faster now when in the tbd and skipped states thanks to the new Guardrails Precheck feature (not to be confused with TSA PreCheck). With Guardrails Precheck, controls avoid running GraphQL input queries when in tbd and skipped, resulting in faster and lighter control runs.

5.10.0 (2020-12-02)

Bug fixes

We’ve removed a duplicate event handler which was causing unwanted RDS events to be sent to Guardrails.

Policy Types

Removed

AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-rds

5.9.0 (2020-10-19)

What's new?

The AWS > RDS > DB Instance > Approved policy now includes the following new policy values:
```
 - Enforce: Stop unapproved
 - Enforce: Stop unapproved if new
```
By setting these new values you can directly stop unapproved DB instances

5.8.0 (2020-10-12)

What's new?

We've made improvements to how Active controls interact with CMDB policies and controls for more reliable active checks. Now, if a resource's CMDB policy is set to Skip, its Active control will move to invalid to prevent the Active control from making a decision based on outdated information. Also, Active controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.

Bug fixes

We've made some improvements to our real-time event handling that reduces the risk of creating resources in CMDB with malformed AKAs. There's no noticeable difference, but things should run more reliably now.

5.7.0 (2020-09-09)

What's new?

Discovery controls now have their own control category, CMDB > Discovery, to allow for easier filtering separately from other CMDB controls.
We've renamed the service's default regions policy from Regions [Default] to Regions to be consistent with our other regions policies.

Bug fixes

Arn, Subnets and SubnetOutpost properties were not available for use in GraphQL queries. This issue has now been fixed.

5.6.3 (2020-08-20)

Bug fixes

Whenever a DB parameter group or a DB cluster parameter group was copied from an existing DB parameter group or a DB cluster parameter group respectively, we would mishandle those events and create those resources without its identifier in its AKA. This issue has been fixed and we now create these resources with the proper AKAs.

5.6.2 (2020-08-14)

Bug fixes

Minor improvements were made to AWS > RDS > DB Instance > Schedule control to make sure that you can start and stop your db instances effectively without running into errors.

Policy Types

Renamed

AWS > RDS > DB Instance > Schedule > Tag to AWS > RDS > DB Instance > Schedule Tag

5.6.1 (2020-08-14)

Bug fixes

Whenever a DB snapshot was copied from an existing snapshot, we would mishandle those events and create a DB snapshot without its identifier in its AKA. This issue has been fixed and we now create snapshots with the proper AKAs. DB snapshots that were created with malformed AKAs can automatically be cleaned up by the AWS > Account > Resource AKA Cleanup control, which is available in aws (5.9.0) and later.
In various Active controls, we were outputting log messages that did not properly show how many days were left until we'd delete the inactive resources (we were still deleting them after the correct number of days). These log messages have been fixed and now contain the correct number of days.

5.6.0 (2020-08-07)

Control Types

Added

AWS > RDS > DB Cluster > Schedule

Policy Types

Added

AWS > RDS > DB Cluster > Schedule
AWS > RDS > DB Cluster > Schedule Tag

Action Types

Added

AWS > RDS > DB Cluster > Start
AWS > RDS > DB Cluster > Stop

5.5.1 (2020-08-05)

Bug fixes

Whenever a DB instance or DB cluster was restored from a snapshot or an S3 bucket, we would mishandle those events and create a DB instance or DB cluster resource without its identifier in its AKA. This issue has been fixed for both resource types and we now create them with the proper AKAs. DB instances and DB clusters that were created with malformed AKAs can automatically be cleaned up by the AWS > Account > Resource AKA Cleanup control, which is available in aws (5.9.0) and later.

5.5.0 (2020-07-31)

What's new?

Cross-account trust is not only important for complex enterprise and application scenarios but is also a critical area for security controls. We now support controlling cross-account access for DB snapshots and DB cluster snapshots to provide automatic protection against unexpected cross-account access.
A common set of trusted AWS account IDs can be defined in the AWS > Account > Trusted Accounts [Default] policy. Trusted accounts can also be defined at any level, even down to the specific snapshot resource.
To get started with these new controls, please see the AWS > RDS > DB Snapshot [Manual] > Trusted Access and AWS > RDS > DB Cluster Snapshot [Manual] > Trusted Access policies.

Control Types

Added

AWS > RDS > DB Cluster Snapshot [Manual] > Trusted Access
AWS > RDS > DB Instance > Parameter Group
AWS > RDS > DB Snapshot [Manual] > Trusted Access
AWS > RDS > Stack

Policy Types

Added

AWS > RDS > DB Cluster Snapshot [Manual] > Trusted Access
AWS > RDS > DB Cluster Snapshot [Manual] > Trusted Access > Accounts
AWS > RDS > DB Instance > Parameter Group
AWS > RDS > DB Instance > Parameter Group > Parameter Group Name
AWS > RDS > DB Snapshot [Manual] > Trusted Access
AWS > RDS > DB Snapshot [Manual] > Trusted Access > Accounts
AWS > RDS > Stack
AWS > RDS > Stack > Secret Variables
AWS > RDS > Stack > Source
AWS > RDS > Stack > Terraform Version
AWS > RDS > Stack > Variables
AWS > RDS > Trusted Accounts [Default]

Action Types

Added

AWS > RDS > DB Cluster Snapshot [Manual] > Set Trusted Access
AWS > RDS > DB Instance > DB Instance Reboot
AWS > RDS > DB Instance > Update Parameter Group
AWS > RDS > DB Snapshot [Manual] > Set Trusted Access

5.4.1 (2020-07-02)

Bug fixes

Sometimes when updating CMDB for resources with tags that have empty string values, e.g., [{Key: "Empty", Value: ""}, {Key: "Guardrails is great", Value: "true"}], we would not store all of the tags correctly. This has been fixed and now all tags are accounted for.

5.4.0 (2020-06-11)

What's new?

The DB cluster snapshot DBClusterSnapshotAttributes data has been made available in the DBClusterSnapshotAttributesMap property. This new property stores the attribute data as a map, instead of a list of maps, for easier referencing.
An api call was added to the CMDB of DB parameter group which returns the detailed parameter list for a particular DB parameter group.
An api call was added to the CMDB of DB cluster parameter group which returns the detailed parameter list for a particular DB cluster parameter group.

5.3.1 (2020-05-26)

Bug fixes

After creating or modifying a DB cluster, its CMDB entry was not being updated after moving out of a transition state, e.g., creating, modifying. This has been fixed.

Policy Types

Renamed

AWS > RDS > DB Cluster > Configured > Precedence to AWS > RDS > DB Cluster > Configured > Claim Precedence
AWS > RDS > DB Cluster Parameter Group > Configured > Precedence to AWS > RDS > DB Cluster Parameter Group > Configured > Claim Precedence
AWS > RDS > DB Cluster Snapshot [Manual] > Configured > Precedence to AWS > RDS > DB Cluster Snapshot [Manual] > Configured > Claim Precedence
AWS > RDS > DB Instance > Configured > Precedence to AWS > RDS > DB Instance > Configured > Claim Precedence
AWS > RDS > DB Parameter Group > Configured > Precedence to AWS > RDS > DB Parameter Group > Configured > Claim Precedence
AWS > RDS > DB Snapshot [Manual] > Configured > Precedence to AWS > RDS > DB Snapshot [Manual] > Configured > Claim Precedence
AWS > RDS > Option Group > Configured > Precedence to AWS > RDS > Option Group > Configured > Claim Precedence
AWS > RDS > Subnet Group > Configured > Precedence to AWS > RDS > Subnet Group > Configured > Claim Precedence

5.3.0 (2020-05-14)

What's new?

The DB snapshot DBSnapshotAttributes data has been made available in the DBSnapshotAttributesMap property. This new property stores the attribute data as a map, instead of a list of maps, for easier referencing.

Bug fixes

DB snapshot permission update events were not being handled properly, so the CMDB would not reflect the latest permissions. These updates are now handled.
When deleting DB instances in Aurora clusters, AWS does not support creating a final snapshot through the API. As a result, the AWS > RDS > DB Instance > Delete action would fail to delete these types of DB instances. This has been fixed and now DB instances in Aurora clusters will be deleted, but no final snapshot will be created.