Metadata-Version: 2.4
Name: rds-security-scanner
Version: 1.0.0
Summary: A comprehensive AWS RDS / Aurora security scanner with multi-framework compliance mapping
Author-email: Toc Consulting <tarek@tocconsulting.fr>
License-Expression: MIT
Project-URL: Homepage, https://github.com/TocConsulting/rds-security-scanner
Project-URL: Documentation, https://github.com/TocConsulting/rds-security-scanner#readme
Project-URL: Repository, https://github.com/TocConsulting/rds-security-scanner
Project-URL: Issues, https://github.com/TocConsulting/rds-security-scanner/issues
Keywords: aws,rds,aurora,security,compliance,scanner,cloud,audit,database
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: System Administrators
Classifier: Intended Audience :: Developers
Classifier: Topic :: Security
Classifier: Topic :: System :: Systems Administration
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Operating System :: OS Independent
Requires-Python: >=3.11
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: boto3>=1.28.0
Requires-Dist: botocore>=1.31.0
Requires-Dist: rich>=13.0.0
Requires-Dist: click>=8.1.0
Requires-Dist: jinja2>=3.1.6
Provides-Extra: dev
Requires-Dist: pytest>=7.0; extra == "dev"
Requires-Dist: pytest-cov>=4.0; extra == "dev"
Requires-Dist: black>=23.0; extra == "dev"
Requires-Dist: flake8>=6.0; extra == "dev"
Requires-Dist: mypy>=1.0; extra == "dev"
Requires-Dist: pre-commit>=3.0; extra == "dev"
Dynamic: license-file

<p align="center">
  <img src="https://raw.githubusercontent.com/TocConsulting/rds-security-scanner/main/assets/rds-security-scanner-logo.png" alt="RDS Security Scanner" style="max-width: 100%; height: auto;">
</p>

<p align="center">
  <a href="https://pypi.org/project/rds-security-scanner/"><img src="https://img.shields.io/pypi/v/rds-security-scanner.svg" alt="PyPI version"></a>
  <a href="https://pepy.tech/project/rds-security-scanner"><img src="https://static.pepy.tech/badge/rds-security-scanner" alt="Downloads"></a>
  <a href="https://hub.docker.com/r/tarekcheikh/rds-security-scanner"><img src="https://img.shields.io/docker/v/tarekcheikh/rds-security-scanner?label=docker&logo=docker" alt="Docker"></a>
  <a href="https://hub.docker.com/r/tarekcheikh/rds-security-scanner"><img src="https://img.shields.io/docker/pulls/tarekcheikh/rds-security-scanner" alt="Docker Pulls"></a>
  <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-brightgreen.svg" alt="License: MIT"></a>
  <a href="https://www.python.org/downloads/"><img src="https://img.shields.io/badge/python-3.11+-blue.svg" alt="Python"></a>
  <a href="https://aws.amazon.com/rds/"><img src="https://img.shields.io/badge/AWS-RDS%20%2F%20Aurora-orange.svg" alt="AWS"></a>
</p>

A comprehensive, production-ready AWS RDS / Aurora security scanner with multi-framework compliance mapping. Audits RDS instances, Aurora clusters, database snapshots, and account-level database settings for security vulnerabilities and compliance violations across CIS, AWS FSBP, PCI-DSS, HIPAA, SOC 2, ISO frameworks, GDPR and NIST 800-53.

## Features

- **53 security checks** across 7 categories
- **10 compliance frameworks** with 201 controls
- **Four-tier scanning**: Account -> Standalone Instance -> Aurora Cluster -> Aurora Member
- **Aurora-aware**: Handles Aurora clusters and member instances separately to prevent double-counting
- **Engine-specific**: Adapts checks for MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Aurora variants
- **Multi-format reports**: JSON, CSV, HTML dashboard, compliance JSON
- **Parallel scanning** with configurable thread pool
- **Fail-closed defaults**: Missing data assumes the worst

## Security Checks

| Category | Checks | Examples |
|----------|--------|---------|
| **A. Encryption** | 8 | Storage encryption, SSL/TLS enforcement, KMS CMK, CA certificates |
| **B. Network & Access** | 10 | Public access, security groups, IAM auth, snapshot sharing |
| **C. Logging & Monitoring** | 10 | CloudWatch Logs, Enhanced Monitoring, Performance Insights, event subscriptions |
| **D. Backup & Recovery** | 9 | Retention period, deletion protection, Multi-AZ, backtrack |
| **E. Maintenance** | 3 | Auto minor version upgrade, pending maintenance |
| **F. Configuration** | 6 | Default parameter groups, Secrets Manager, VPC, RDS Proxy |
| **G. Tagging** | 7 | Instance, cluster, snapshot, subnet group, parameter group tags |

See [security-checks.md](security-checks.md) for the full check catalog.

## Compliance Frameworks

| Framework | Controls |
|-----------|----------|
| AWS Foundational Security Best Practices | 45 |
| CIS-Based RDS Hardening Baseline | 20 |
| PCI DSS v4.0.1 | 15 |
| HIPAA Security Rule (§164) | 17 |
| SOC 2 (AICPA TSC 2017) | 18 |
| ISO 27001:2022 | 20 |
| ISO 27017:2015 | 12 |
| ISO 27018:2019 (conceptual mapping) | 10 |
| GDPR (EU 2016/679) | 13 |
| NIST 800-53 Rev 5 | 31 |

See [compliance.md](compliance.md) for the full mapping.

## Quick Start

### Installation

```bash
pip install .
```

### Basic Usage

```bash
# Scan all RDS resources in us-east-1
rds-security-scanner security

# Use a specific AWS profile and region
rds-security-scanner security -p production -r eu-west-1

# Scan specific instances
rds-security-scanner security -i my-database

# Scan specific Aurora clusters
rds-security-scanner security -c my-aurora-cluster

# HTML report only
rds-security-scanner security -f html -o ./reports

# Compliance-focused output
rds-security-scanner security --compliance-only

# Parallel workers and debug mode
rds-security-scanner security -w 10 -d
```

### Docker

```bash
docker build -t rds-security-scanner .

docker run --rm \
  -v ~/.aws:/root/.aws:ro \
  -v $(pwd)/output:/app/output \
  rds-security-scanner security -r us-east-1
```

## Output Formats

| Format | File | Description |
|--------|------|-------------|
| JSON | `rds_scan_{region}_{timestamp}.json` | Full results with summary |
| CSV | `rds_scan_{region}_{timestamp}.csv` | Flattened per-resource rows |
| HTML | `rds_scan_{region}_{timestamp}.html` | Interactive dashboard with charts |
| Compliance | `rds_compliance_{region}_{timestamp}.json` | Per-framework breakdown |

## Scoring

Each resource starts at 100 points. Deductions are applied per failed check:

| Severity | Deduction | Example Checks |
|----------|-----------|----------------|
| CRITICAL | -20 | Encryption disabled, publicly accessible, public snapshots |
| HIGH | -10 to -15 | SSL not enforced, no backups, no Multi-AZ, SG unrestricted |
| MEDIUM | -5 to -8 | Default port, no CMK, no Performance Insights, default params |
| LOW | -2 to -3 | Missing tags, copy-tags-to-snapshot disabled |

Score is clamped to a minimum of 0.

## IAM Permissions

The scanner requires read-only access. Minimum IAM policy:

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances",
                "rds:DescribeDBClusters",
                "rds:DescribeDBSnapshots",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBSnapshotAttributes",
                "rds:DescribeDBClusterSnapshotAttributes",
                "rds:DescribeEventSubscriptions",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBClusterParameterGroups",
                "rds:DescribeDBClusterParameters",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeDBProxies",
                "rds:DescribeOptionGroups",
                "rds:DescribeOptionGroupOptions",
                "rds:DescribePendingMaintenanceActions",
                "rds:ListTagsForResource",
                "ec2:DescribeSecurityGroups",
                "kms:DescribeKey",
                "sts:GetCallerIdentity"
            ],
            "Resource": "*"
        }
    ]
}
```

> `kms:DescribeKey` is used by check **A.7 (CMK usage)** to reliably
> distinguish customer-managed keys from AWS-managed keys (`KeyManager`
> property). If you cannot grant it, the scanner falls back to the
> `StorageEncryptionType` heuristic and the result will be reported as
> "unknown" for resources encrypted with a non-default KMS key whose
> `KeyManager` cannot be inspected.

## Development

```bash
# Create virtual environment
python -m venv venv
source venv/bin/activate

# Install with dev dependencies
pip install -e ".[dev]"

# Run tests
pytest tests/ -v

# Run with coverage
pytest tests/ --cov=rds_security_scanner --cov-report=term-missing

# Format code
black rds_security_scanner/ tests/

# Lint
flake8 rds_security_scanner/ tests/
```

## Architecture

```
rds-security-scanner/
├── rds_security_scanner/
│   ├── __init__.py          # Package metadata
│   ├── cli.py               # Click CLI with shared option decorators
│   ├── scanner.py           # Main orchestrator (4-tier architecture)
│   ├── compliance.py        # 10 frameworks, 201 lambda-based controls
│   ├── utils.py             # Scoring, logging, utilities
│   ├── html_reporter.py     # Jinja2 HTML dashboard generator
│   ├── checks/
│   │   ├── base.py          # BaseChecker with thread-safe session factory
│   │   ├── encryption.py    # Checks A.1-A.8
│   │   ├── network_access.py # Checks B.1-B.10
│   │   ├── logging_monitoring.py # Checks C.1-C.10
│   │   ├── backup_recovery.py # Checks D.1-D.9
│   │   ├── maintenance.py   # Checks E.1-E.3
│   │   ├── configuration.py # Checks F.1-F.6
│   │   └── tagging.py       # Checks G.1-G.7
│   └── templates/
│       └── report.html      # HTML report template
└── tests/                   # 12 test files, 154 tests
```

## License

MIT License - see [LICENSE](LICENSE) for details.

## Author

**Toc Consulting** - [tarek@tocconsulting.fr](mailto:tarek@tocconsulting.fr)
