GuardDuty RDS Protection

RDS Protection in Amazon GuardDuty analyzes and profiles RDS login activity for potential access threats to your Amazon Aurora databases (Amazon Aurora MySQL-Compatible Edition and Aurora PostgreSQL-Compatible Edition) and Amazon RDS for PostgreSQL.

RDS Protection helps you identify potentially suspicious login behavior on these supported databases. GuardDuty continuously monitors and profiles RDS login activity for anomalous activity. For example, a previously unseen external actor has unauthorized access to your database, or adversary attempts brute-force access by guessing the database's password.

With the launch of Amazon Aurora PostgreSQL Limitless Database, GuardDuty expands RDS Protection to now also support monitoring login activity from Limitless Databases. For AWS accounts that have already enabled RDS Protection, GuardDuty will automatically start monitoring login data from their Limitless Databases. For accounts that have not yet enabled RDS Protection, you can learn more about the 30-day free trial and choose to enable this feature. To enable this feature, see Enabling RDS Protection in multiple-account environments or Enabling RDS Protection for a standalone account.

RDS Protection doesn't require additional infrastructure; it is designed so as not to affect the performance of your database instances. When RDS Protection detects a potentially suspicious or anomalous login attempt, GuardDuty generates one or more RDS Protection finding types with details about the potentially compromised database.

30-day free trial

When you enable GuardDuty in an AWS account in a new Region for the first time, you get a 30-day free trial. In this case, GuardDuty will also enable RDS Protection, which is included in the free trial. RDS Protection will start monitoring the login behavior of the
When you are already using GuardDuty and decide to enable RDS Protection in a new Region for the first time, your account in this Region will get a 30-day free trial for RDS Protection.
If you have already enabled RDS Protection, then with the launch of Amazon Aurora PostgreSQL Limitless Database, GuardDuty will automatically start monitoring login activity for the Limitless Databases. If your RDS Protection 30-day free trial has expired already, then you will start incurring usage costs related to monitoring of Limitless Databases.
You can choose to disable RDS Protection at any time. If there are free trial days left in your account in a Region, you can use them if you ever choose to enable RDS Protection in the same Region again.
During the 30-day free trial, you can get an estimate of your usage costs in that account and Region. After the 30-day free trial ends, RDS Protection doesn't get disabled automatically. Your account in this Region will start incurring usage cost. For more information, see Estimating GuardDuty usage cost.

When the RDS Protection feature is not enabled, GuardDuty does't detect anomalous or suspicious login behavior. If you disable RDS Protection, GuardDuty immediately stops monitoring RDS login activity, and will not detect any potential threat to your supported database instances or generate associated finding types.

For AWS Regions where Aurora PostgreSQL Limitless Databases are supported, see Requirements for Aurora PostgreSQL Limitless Database.

Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases

The following table shows the supported Aurora and Amazon RDS database versions for RDS Protection.

Amazon Aurora and Amazon RDS DB engine	Supported engine versions
Aurora MySQL	2.10.2 or later 3.02.1 or later
Aurora PostgreSQL	10.17 or later 11.12 or later 12.7 or later 13.3 or later 14.3 or later 15.2 or later 16.1 or later
RDS for PostgreSQL	14.5 or later 13.8 or later 12.12 or later 11.17 or later 10.22 or later RDS for PostgreSQL version 15 RDS for PostgreSQL version 16
Amazon Aurora PostgreSQL Limitless Database	`16.4-limitless`

When you enable the RDS Protection feature, GuardDuty automatically starts monitoring RDS login activity for your databases, directly from the Aurora and Amazon RDS services. RDS login activity captures both successful and failed login attempts made to the Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases in your AWS environment. If there is an indication of anomalous login behavior, GuardDuty generates a finding with details about the potentially compromised database. When you enable RDS Protection for the first time or you have a newly created database instance, there is a learning period to baseline normal behavior. For this reason, newly enabled or newly created database instances may not have an associated anomalous login finding for up to two weeks.

When RDS Protection detects a potential threat, such as an unusual pattern in a series of successful, failed, or incomplete login attempts, GuardDuty generates one or more RDS Protection finding types. Based on the finding type, it may include details about the anomalous behavior, such as RDS login activity-based anomalies.

GuardDuty doesn't manage your Supported databases or RDS login activity, or make RDS login activity available to you.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Quotas in Malware Protection for S3

Enabling RDS Protection in multiple-account environments