Platform: AWS
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | False | Amazon RDS doesn't utilize API keys in the same way as some other services. Access is managed through IAM roles and policies. | |
| Authentication & Authorization | IAM Integration | True | Amazon RDS integrates with AWS Identity and Access Management (IAM), allowing granular control over access to databases using roles and policies. | |
| Authentication & Authorization | MFA | True | AWS IAM supports multi-factor authentication (MFA) for administrative access, which can be applied to users managing RDS resources. | |
| Authentication & Authorization | Service Account Support | True | While not explicitly 'service accounts' in the same way as GCP, IAM roles effectively function as service accounts for programmatic access, allowing for least privilege configurations. | |
| Authentication & Authorization | Standard Protocols | True | Amazon RDS uses standard protocols like HTTPS for secure communication. While not directly OAuth 2.0/OpenID Connect for database access, IAM handles authentication and authorization in a similar manner. | |
| Compliance & Certifications | Compliance Documentation | True | AWS provides compliance documentation and reports for various certifications and regulatory frameworks. | |
| Compliance & Certifications | Industry Certifications | True | AWS RDS complies with various industry standards and regulations, including ISO 27001, SOC, and others. Specific compliance certifications vary by region and service offering. | |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Data masking and redaction are not features built into Amazon RDS, requiring custom solutions or third-party integration. | Requires custom development or third-party tools. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | False | Amazon RDS does not natively offer sensitive data scanning. You would need to integrate this functionality using other AWS services or third-party tools. | Requires third-party tools or custom solutions. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | Data transfer between regions can be controlled through network configurations like VPC peering and VPN connections. However, it requires careful planning and configuration to restrict data movement to only authorized regions. | Requires careful configuration. |
| Data Residency & Sovereignty | Data Location Transparency | True | AWS provides tools and documentation to help determine the location of your RDS instances and data. The AWS Management Console shows the region, and you can use various APIs to programmatically retrieve this information. | |
| Data Residency & Sovereignty | Region Selection | True | Amazon RDS allows you to choose the AWS region where your database instances are created and data is stored. This allows you to meet data residency requirements for many jurisdictions. | |
| Encryption | Encryption at Rest | True | Amazon RDS supports encryption at rest using AWS Key Management Service (KMS). This includes options for customer-managed keys (CMKs) and allows for key rotation. | |
| Encryption | Encryption in Transit | True | Amazon RDS encrypts data in transit using TLS/SSL. The specific versions and cipher suites used can be configured. | |
| Logging & Monitoring | Access Logging | True | Amazon RDS provides detailed logs of database activity, which can be configured and accessed. | |
| Logging & Monitoring | Audit Logging | True | Amazon RDS provides CloudTrail logging of API calls and configuration changes. | |
| Logging & Monitoring | Log Retention | True | CloudWatch log retention policies can be configured to manage how long RDS logs are stored. | |
| Logging & Monitoring | Monitoring & Alerting | True | Amazon RDS integrates with Amazon CloudWatch, providing metrics and alerts for monitoring performance and potential issues. | |
| Network Security | API Gateway Integration | False | Amazon RDS doesn't directly integrate with API Gateway. However, you can use API Gateway to control access to other services that interact with your RDS instances. | |
| Network Security | DDoS Protection | True | AWS offers various DDoS protection services that can be integrated with RDS instances. These services are available at different levels, depending on your needs and pricing tier. | |
| Network Security | Firewall Rules | True | Security groups act as firewalls for RDS instances, allowing you to control inbound and outbound traffic. | |
| Network Security | Private Access | True | Amazon RDS supports private connectivity through VPCs, allowing access only from within your virtual private cloud. | |
| Secure Development Lifecycle (SDL) | API Design Principles | True | While not explicitly documented as following a specific API design standard, AWS RDS's API is generally considered secure and follows industry best practices. | |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | AWS employs secure coding practices and conducts security testing for its services, although the specifics are not publicly disclosed. | Indirect evidence. |
| Vulnerability Management & Patching | Security Updates | True | AWS automatically patches and updates RDS instances, though some maintenance windows might require planning. | |
| Vulnerability Management & Patching | Vulnerability Scanning | False | AWS doesn't provide built-in vulnerability scanning for RDS, but you can integrate third-party security tools for this purpose. | Requires third-party tools. |