Enable GuardDuty RDS Protection

Overview

This check verifies that Amazon GuardDuty has RDS Protection enabled. RDS Protection monitors login activity on your Amazon Aurora and RDS databases to detect suspicious access patterns, such as logins from unusual locations or with anomalous behavior that might indicate compromised credentials.

Risk

Without GuardDuty RDS Protection enabled:

• Attackers using stolen or guessed database credentials could access your databases undetected
• Brute-force login attempts against your Aurora databases may go unnoticed
• Suspicious login patterns (unusual times, locations, or behaviors) will not trigger alerts
• Data breaches and unauthorized access could occur without timely detection

Severity: High

Remediation Steps

Prerequisites

• AWS account access with permissions to modify GuardDuty settings
• GuardDuty must already be enabled in your account (RDS Protection is a feature within GuardDuty)
• For Organizations, you need access to the delegated GuardDuty administrator account

AWS Console Method

1. Sign in to the AWS Management Console
2. Navigate to GuardDuty (search for it in the top search bar)
3. In the left navigation, click Settings or Protection plans
4. Find RDS Protection (may also appear as "RDS login events")
5. Click Enable or toggle the feature on
6. Click Save to apply changes

For AWS Organizations: If you manage multiple accounts through AWS Organizations, perform these steps in your delegated GuardDuty administrator account. The setting will apply to all member accounts.

AWS CLI

First, get your GuardDuty detector ID:

aws guardduty list-detectors --region us-east-1

This returns your detector ID. Then enable RDS Protection:

aws guardduty update-detector \
    --detector-id <your-detector-id> \
    --features Name=RDS_LOGIN_EVENTS,Status=ENABLED \
    --region us-east-1

Replace <your-detector-id> with the ID from the first command.

Example with a real detector ID:

aws guardduty update-detector \
    --detector-id 12abc34d567e8fa901bc2d34eexample \
    --features Name=RDS_LOGIN_EVENTS,Status=ENABLED \
    --region us-east-1

CloudFormation

Use this template to create a new GuardDuty detector with RDS Protection enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable GuardDuty with RDS Protection

Resources:
  GuardDutyDetector:
    Type: AWS::GuardDuty::Detector
    Properties:
      Enable: true
      Features:
        - Name: RDS_LOGIN_EVENTS
          Status: ENABLED

Outputs:
  DetectorId:
    Description: The GuardDuty Detector ID
    Value: !Ref GuardDutyDetector

Deploy the template:

aws cloudformation deploy \
    --template-file guardduty-rds-protection.yaml \
    --stack-name guardduty-rds-protection \
    --region us-east-1

Note: If GuardDuty is already enabled in your account, you cannot create a second detector. In that case, use the AWS CLI method to update your existing detector.

Terraform

For an existing GuardDuty detector:

Use the aws_guardduty_detector_feature resource to enable RDS Protection on your existing detector:

# Reference your existing GuardDuty detector
data "aws_guardduty_detector" "existing" {}

# Enable RDS Protection
resource "aws_guardduty_detector_feature" "rds_protection" {
  detector_id = data.aws_guardduty_detector.existing.id
  name        = "RDS_LOGIN_EVENTS"
  status      = "ENABLED"
}

For a new GuardDuty detector:

resource "aws_guardduty_detector" "main" {
  enable = true
}

resource "aws_guardduty_detector_feature" "rds_protection" {
  detector_id = aws_guardduty_detector.main.id
  name        = "RDS_LOGIN_EVENTS"
  status      = "ENABLED"
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Verification

After enabling RDS Protection, verify it is active:

1. In the GuardDuty console, go to Settings or Protection plans
2. Confirm that RDS Protection shows as Enabled

CLI Verification

aws guardduty get-detector \
    --detector-id <your-detector-id> \
    --region us-east-1 \
    --query 'Features[?Name==`RDS_LOGIN_EVENTS`]'

Expected output showing RDS Protection is enabled:

[
    {
        "Name": "RDS_LOGIN_EVENTS",
        "Status": "ENABLED"
    }
]

Additional Resources

• Amazon GuardDuty RDS Protection Documentation
• GuardDuty RDS Protection Finding Types
• Supported Amazon Aurora Databases for RDS Protection
• AWS Security Hub GuardDuty Controls

Notes

• No performance impact: RDS Protection monitors login events without affecting database performance
• Supported databases: RDS Protection primarily supports Amazon Aurora (MySQL and PostgreSQL compatible editions). Check AWS documentation for the current list of supported database engines
• Regional feature: RDS Protection must be enabled in each AWS region where you have Aurora databases
• Cost consideration: Enabling RDS Protection incurs additional GuardDuty charges based on the volume of RDS login events analyzed. See GuardDuty pricing for details
• Finding delivery: When suspicious activity is detected, findings appear in the GuardDuty console and can be sent to Security Hub, EventBridge, and other integrated services