GuardDuty detector has RDS Protection enabled
guardduty_rds_protection_enabled
Active Amazon GuardDuty detectors are assessed for RDS Protection being enabled, allowing analysis of RDS and Aurora login activity to profile and flag anomalous access patterns.
Risk
Without RDS Protection, anomalous database logins can go unnoticed. Attackers using stolen or brute-forced credentials may access data, alter schemas, or pivot via the DB, impacting confidentiality and integrity, and potentially availability.
prowler aws --checks guardduty_rds_protection_enabled
Recommendation
Enable GuardDuty RDS Protection across all accounts and Regions.
- Enforce least privilege for DB users and rotate credentials
- Restrict network exposure to databases
- Integrate findings with alerting and incident response for rapid containment
Remediation
aws guardduty update-detector --detector-id <detector-id> --features Name=RDS_LOGIN_EVENTS,Status=ENABLED
- In the AWS Console, open Amazon GuardDuty
- Go to Settings (or Protection plans/Features)
- Find RDS Protection (RDS login events) and click Enable
- Save changes
- If using Organizations, perform this in the delegated GuardDuty administrator account
Source Code
Resource Type
AwsGuardDutyDetector