A comprehensive AWS RDS / Aurora security scanner with multi-framework compliance mapping
Project description
A comprehensive, production-ready AWS RDS / Aurora security scanner with multi-framework compliance mapping. Audits RDS instances, Aurora clusters, database snapshots, and account-level database settings for security vulnerabilities and compliance violations across CIS, AWS FSBP, PCI-DSS, HIPAA, SOC 2, ISO frameworks, GDPR and NIST 800-53.
Features
- 53 security checks across 7 categories
- 10 compliance frameworks with 201 controls
- Four-tier scanning: Account -> Standalone Instance -> Aurora Cluster -> Aurora Member
- Aurora-aware: Handles Aurora clusters and member instances separately to prevent double-counting
- Engine-specific: Adapts checks for MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Aurora variants
- Multi-format reports: JSON, CSV, HTML dashboard, compliance JSON
- Parallel scanning with configurable thread pool
- Fail-closed defaults: Missing data assumes the worst
Security Checks
| Category | Checks | Examples |
|---|---|---|
| A. Encryption | 8 | Storage encryption, SSL/TLS enforcement, KMS CMK, CA certificates |
| B. Network & Access | 10 | Public access, security groups, IAM auth, snapshot sharing |
| C. Logging & Monitoring | 10 | CloudWatch Logs, Enhanced Monitoring, Performance Insights, event subscriptions |
| D. Backup & Recovery | 9 | Retention period, deletion protection, Multi-AZ, backtrack |
| E. Maintenance | 3 | Auto minor version upgrade, pending maintenance |
| F. Configuration | 6 | Default parameter groups, Secrets Manager, VPC, RDS Proxy |
| G. Tagging | 7 | Instance, cluster, snapshot, subnet group, parameter group tags |
See security-checks.md for the full check catalog.
Compliance Frameworks
| Framework | Controls |
|---|---|
| AWS Foundational Security Best Practices | 45 |
| CIS-Based RDS Hardening Baseline | 20 |
| PCI DSS v4.0.1 | 15 |
| HIPAA Security Rule (§164) | 17 |
| SOC 2 (AICPA TSC 2017) | 18 |
| ISO 27001:2022 | 20 |
| ISO 27017:2015 | 12 |
| ISO 27018:2019 (conceptual mapping) | 10 |
| GDPR (EU 2016/679) | 13 |
| NIST 800-53 Rev 5 | 31 |
See compliance.md for the full mapping.
Quick Start
Installation
pip install .
Basic Usage
# Scan all RDS resources in us-east-1
rds-security-scanner security
# Use a specific AWS profile and region
rds-security-scanner security -p production -r eu-west-1
# Scan specific instances
rds-security-scanner security -i my-database
# Scan specific Aurora clusters
rds-security-scanner security -c my-aurora-cluster
# HTML report only
rds-security-scanner security -f html -o ./reports
# Compliance-focused output
rds-security-scanner security --compliance-only
# Parallel workers and debug mode
rds-security-scanner security -w 10 -d
Docker
docker build -t rds-security-scanner .
docker run --rm \
-v ~/.aws:/root/.aws:ro \
-v $(pwd)/output:/app/output \
rds-security-scanner security -r us-east-1
Output Formats
| Format | File | Description |
|---|---|---|
| JSON | rds_scan_{region}_{timestamp}.json |
Full results with summary |
| CSV | rds_scan_{region}_{timestamp}.csv |
Flattened per-resource rows |
| HTML | rds_scan_{region}_{timestamp}.html |
Interactive dashboard with charts |
| Compliance | rds_compliance_{region}_{timestamp}.json |
Per-framework breakdown |
Scoring
Each resource starts at 100 points. Deductions are applied per failed check:
| Severity | Deduction | Example Checks |
|---|---|---|
| CRITICAL | -20 | Encryption disabled, publicly accessible, public snapshots |
| HIGH | -10 to -15 | SSL not enforced, no backups, no Multi-AZ, SG unrestricted |
| MEDIUM | -5 to -8 | Default port, no CMK, no Performance Insights, default params |
| LOW | -2 to -3 | Missing tags, copy-tags-to-snapshot disabled |
Score is clamped to a minimum of 0.
IAM Permissions
The scanner requires read-only access. Minimum IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"rds:DescribeDBSnapshots",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeEventSubscriptions",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBClusterParameterGroups",
"rds:DescribeDBClusterParameters",
"rds:DescribeDBSubnetGroups",
"rds:DescribeDBProxies",
"rds:DescribeOptionGroups",
"rds:DescribeOptionGroupOptions",
"rds:DescribePendingMaintenanceActions",
"rds:ListTagsForResource",
"ec2:DescribeSecurityGroups",
"kms:DescribeKey",
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}
kms:DescribeKeyis used by check A.7 (CMK usage) to reliably distinguish customer-managed keys from AWS-managed keys (KeyManagerproperty). If you cannot grant it, the scanner falls back to theStorageEncryptionTypeheuristic and the result will be reported as "unknown" for resources encrypted with a non-default KMS key whoseKeyManagercannot be inspected.
Development
# Create virtual environment
python -m venv venv
source venv/bin/activate
# Install with dev dependencies
pip install -e ".[dev]"
# Run tests
pytest tests/ -v
# Run with coverage
pytest tests/ --cov=rds_security_scanner --cov-report=term-missing
# Format code
black rds_security_scanner/ tests/
# Lint
flake8 rds_security_scanner/ tests/
Architecture
rds-security-scanner/
├── rds_security_scanner/
│ ├── __init__.py # Package metadata
│ ├── cli.py # Click CLI with shared option decorators
│ ├── scanner.py # Main orchestrator (4-tier architecture)
│ ├── compliance.py # 10 frameworks, 201 lambda-based controls
│ ├── utils.py # Scoring, logging, utilities
│ ├── html_reporter.py # Jinja2 HTML dashboard generator
│ ├── checks/
│ │ ├── base.py # BaseChecker with thread-safe session factory
│ │ ├── encryption.py # Checks A.1-A.8
│ │ ├── network_access.py # Checks B.1-B.10
│ │ ├── logging_monitoring.py # Checks C.1-C.10
│ │ ├── backup_recovery.py # Checks D.1-D.9
│ │ ├── maintenance.py # Checks E.1-E.3
│ │ ├── configuration.py # Checks F.1-F.6
│ │ └── tagging.py # Checks G.1-G.7
│ └── templates/
│ └── report.html # HTML report template
└── tests/ # 12 test files, 154 tests
License
MIT License - see LICENSE for details.
Author
Toc Consulting - tarek@tocconsulting.fr
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file rds_security_scanner-1.0.0.tar.gz.
File metadata
- Download URL: rds_security_scanner-1.0.0.tar.gz
- Upload date:
- Size: 58.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d8efd04014d25e484c9169a4ebb3acfab05f44059f74f9a82b7ab448bf310717
|
|
| MD5 |
32952e0a0ab2b6820c8b63e1c3c94ac5
|
|
| BLAKE2b-256 |
0bee578302dccf4453e018f6857bd7955f65ce3fea7726509ae1058dd617bdde
|
File details
Details for the file rds_security_scanner-1.0.0-py3-none-any.whl.
File metadata
- Download URL: rds_security_scanner-1.0.0-py3-none-any.whl
- Upload date:
- Size: 47.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
358142e8b6993edbe80c3abf422a888567365668d53609c90abfb9841e90aa86
|
|
| MD5 |
5ed253e50aa56cdc6174c303bb513fbc
|
|
| BLAKE2b-256 |
7d2a6e7d6ba0249c7b0d63ca9eaa6929de04aae938880d068d0c55e939c7792a
|
