Back to Blog
•Keita Higaki
RDS Enhanced: Comprehensive Database Drift Detection with 31 CloudTrail Events
TFDrift-Falco v0.3.0 development adds comprehensive RDS support with 31 CloudTrail events covering DB instances, clusters, snapshots, parameter groups, subnet groups, and option groups. Now at 169 events (85% of target).
releaserdsauroradatabaseaws
RDS Enhanced: Comprehensive Database Drift Detection with 31 CloudTrail Events
We're excited to announce comprehensive RDS (Relational Database Service) support for TFDrift-Falco! This update brings our CloudTrail event coverage from 164 to 169 events, achieving 85% of our v0.3.0 target.
What's New
🗃️ RDS Enhanced (31 Events Total)
Complete database drift detection across all RDS resource types:
DB Instances (8 Events)
- CreateDBInstance, DeleteDBInstance
- ModifyDBInstance, RebootDBInstance
- StartDBInstance, StopDBInstance
- ModifyDBInstanceAttribute
- CreateDBInstanceReadReplica
DB Clusters - Aurora (12 Events)
- CreateDBCluster, DeleteDBCluster, ModifyDBCluster
- StartDBCluster, StopDBCluster, FailoverDBCluster
- AddRoleToDBCluster, RemoveRoleFromDBCluster
- ModifyDBClusterEndpoint, CreateDBClusterEndpoint, DeleteDBClusterEndpoint
- ModifyGlobalCluster
Snapshots (5 Events)
- CreateDBSnapshot, DeleteDBSnapshot
- ModifyDBSnapshotAttribute
- CreateDBClusterSnapshot, DeleteDBClusterSnapshot
Parameter Groups (3 Events)
- CreateDBParameterGroup, DeleteDBParameterGroup
- ModifyDBParameterGroup
Subnet Groups (3 Events)
- CreateDBSubnetGroup, DeleteDBSubnetGroup
- ModifyDBSubnetGroup
Restore Operations (3 Events)
- RestoreDBInstanceFromDBSnapshot
- RestoreDBInstanceToPointInTime
- RestoreDBClusterFromSnapshot
Option Groups (3 Events)
- CreateOptionGroup, DeleteOptionGroup
- ModifyOptionGroup
Coverage Progress
| Metric | Value |
|---|---|
| Total Events | 169 |
| Target (v0.3.0) | 198 |
| Progress | 85% |
| AWS Services | 16 |
Service Rankings
RDS now ranks #2 in event coverage:
- VPC/Networking - 33 events
- RDS - 31 events 🆕
- EC2 - 17 events
- ELB/ALB - 15 events
Why RDS Drift Detection Matters
Security Risks
Manual database changes can introduce critical security vulnerabilities:
- Public Access Exposure:
publiclyAccessibleflag modified via console - Encryption Disabled: Storage encryption turned off on existing instances
- Backup Deletion: Critical snapshots deleted bypassing retention policies
- Network Isolation Breach: Subnet groups modified to allow public access
Compliance Requirements
Many compliance frameworks require:
- Audit trail of all database configuration changes
- Automated detection of unauthorized modifications
- Immutable infrastructure (IaC-only changes)
Cost Management
Untracked database changes impact costs:
- Instance type upgrades (db.t3.micro → db.r6g.xlarge)
- Read replica creation without approval
- Storage expansion without capacity planning
- Multi-AZ enablement without budget approval
Use Cases
Critical Security Event: Public Access Detection
Detect when someone exposes a database to the internet:
- rule: RDS Instance Made Public
desc: Detect when RDS instance is made publicly accessible
condition: >
ct.name="ModifyDBInstanceAttribute" and
ct.request.publiclyAccessible="true"
output: >
Critical: RDS instance exposed to public internet
(user=%ct.user instance=%ct.request.dBInstanceIdentifier
region=%ct.region account=%ct.account)
priority: CRITICAL
source: aws_cloudtrail
tags: [terraform, drift, rds, security, critical]
Parameter Group Configuration Drift
Track database parameter changes:
- rule: RDS Parameter Group Modified
desc: Detect RDS parameter group configuration changes
condition: ct.name="ModifyDBParameterGroup"
output: >
RDS parameter group modified
(user=%ct.user group=%ct.request.dBParameterGroupName
region=%ct.region)
priority: WARNING
source: aws_cloudtrail
tags: [terraform, drift, rds, configuration]
Snapshot Deletion Tracking
Monitor backup integrity:
- rule: RDS Snapshot Deleted
desc: Detect RDS snapshot deletion for audit trail
condition: ct.name="DeleteDBSnapshot"
output: >
RDS snapshot deleted - verify retention policy compliance
(user=%ct.user snapshot=%ct.request.dBSnapshotIdentifier
region=%ct.region)
priority: HIGH
source: aws_cloudtrail
tags: [terraform, drift, rds, backup, compliance]
Read Replica Creation
Track replication for cost and data governance:
- rule: RDS Read Replica Created
desc: Detect read replica creation for cost tracking
condition: ct.name="CreateDBInstanceReadReplica"
output: >
RDS read replica created - review capacity plan
(user=%ct.user source=%ct.request.sourceDBInstanceIdentifier
replica=%ct.request.dBInstanceIdentifier region=%ct.region)
priority: WARNING
source: aws_cloudtrail
tags: [terraform, drift, rds, cost, capacity]
Subnet Group Modification
Detect network configuration changes:
- rule: RDS Subnet Group Modified
desc: Detect RDS subnet group network changes
condition: ct.name="ModifyDBSubnetGroup"
output: >
RDS subnet group modified - verify network isolation
(user=%ct.user group=%ct.request.dBSubnetGroupName
region=%ct.region)
priority: HIGH
source: aws_cloudtrail
tags: [terraform, drift, rds, network, security]
Real-World Drift Scenarios
Scenario 1: Emergency Capacity Increase
Incident: During a traffic spike, an engineer manually upgrades a database instance from db.t3.large to db.r6g.2xlarge via AWS Console.
Detection:
[2025-12-14 15:23:45] ALERT Drift Detected: RDS Instance Modified
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Resource: aws_db_instance.production_db
Event: ModifyDBInstance
Severity: HIGH
Changes:
dbInstanceClass: db.t3.large → db.r6g.2xlarge
allocatedStorage: 100 → 500 (GB)
Context:
User: ops-engineer@example.com
Source: AWS Console
Region: us-east-1
Time: 2025-12-14T15:23:40Z
Impact:
- Monthly cost increase: ~$350 → ~$1,200 (+$850/mo)
- Storage cost increase: ~$12 → ~$60 (+$48/mo)
- Total monthly impact: ~$898
Recommendation:
- Update Terraform configuration if change is permanent
- Review capacity planning with team
- Schedule downsize after traffic spike resolves
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Scenario 2: Unauthorized Snapshot Deletion
Incident: A contractor accidentally deletes a critical production snapshot.
Detection:
[2025-12-14 09:15:22] ALERT Drift Detected: RDS Snapshot Deleted
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Resource: aws_db_snapshot.prod_backup_20251201
Event: DeleteDBSnapshot
Severity: CRITICAL
Context:
User: contractor-user@external.com
Snapshot ID: prod-db-backup-20251201-final
Source DB: production-postgresql-master
Region: us-east-1
Age: 13 days
Compliance Impact:
- Violates 30-day retention policy
- Missing required audit snapshot
- SOC2 compliance violation
Action Required:
- Verify if snapshot can be recovered
- Document incident for audit trail
- Review contractor IAM permissions
- Update Terraform to prevent deletion protection bypass
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Scenario 3: Parameter Group Security Change
Incident: SSL enforcement disabled in production parameter group.
Detection:
[2025-12-14 11:45:33] ALERT Drift Detected: Parameter Group Modified
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Resource: aws_db_parameter_group.production_pg
Event: ModifyDBParameterGroup
Severity: CRITICAL
Changes:
rds.force_ssl: 1 → 0 (SSL enforcement disabled)
log_statement: 'all' → 'none' (Query logging disabled)
Context:
User: dev-user@example.com
Group: production-postgres-13-params
Region: us-east-1
Security Impact:
- Database connections no longer encrypted
- Query audit logging disabled
- PCI-DSS compliance violation
- HIPAA compliance violation
Immediate Actions:
1. Re-enable SSL enforcement immediately
2. Re-enable query logging
3. Review all connections made without SSL
4. Rotate database credentials
5. Update Terraform and apply
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Terraform Resource Mappings
Complete mapping of RDS CloudTrail events to Terraform resources:
| CloudTrail Event | Terraform Resource |
|---|---|
| CreateDBInstance, ModifyDBInstance, DeleteDBInstance | aws_db_instance |
| ModifyDBInstanceAttribute | aws_db_instance |
| CreateDBInstanceReadReplica | aws_db_instance (read replica) |
| CreateDBCluster, ModifyDBCluster, DeleteDBCluster | aws_rds_cluster |
| AddRoleToDBCluster, RemoveRoleFromDBCluster | aws_rds_cluster_role_association |
| CreateDBClusterEndpoint, ModifyDBClusterEndpoint | aws_rds_cluster_endpoint |
| ModifyGlobalCluster | aws_rds_global_cluster |
| CreateDBSnapshot, DeleteDBSnapshot | aws_db_snapshot |
| CreateDBClusterSnapshot, DeleteDBClusterSnapshot | aws_db_cluster_snapshot |
| CreateDBParameterGroup, ModifyDBParameterGroup | aws_db_parameter_group |
| CreateDBSubnetGroup, ModifyDBSubnetGroup | aws_db_subnet_group |
| CreateOptionGroup, ModifyOptionGroup, DeleteOptionGroup | aws_db_option_group |
| RestoreDBInstanceFromDBSnapshot | aws_db_instance (restored) |
| RestoreDBInstanceToPointInTime | aws_db_instance (PITR) |
Test Coverage
100% test coverage for all 31 RDS events:
$ go test ./pkg/falco/... -v -run TestMapEventToResourceType
=== RUN TestMapEventToResourceType
=== RUN TestMapEventToResourceType/RDS_Instance_Create
=== RUN TestMapEventToResourceType/RDS_Instance_Modify
=== RUN TestMapEventToResourceType/RDS_Instance_Attribute_Modify
=== RUN TestMapEventToResourceType/RDS_Instance_Read_Replica_Create
... (31 RDS tests)
--- PASS: TestMapEventToResourceType (0.00s)
PASS
All 31 RDS CloudTrail events now have comprehensive test coverage, ensuring reliable drift detection.
Getting Started
1. Update to Latest Version
git pull origin main
2. Configure RDS Falco Rules
Create rules/rds.yaml:
# RDS Security Rules
- rule: RDS Critical Security Change
desc: Detect critical RDS security configuration changes
condition: >
ct.name in (ModifyDBInstanceAttribute, ModifyDBParameterGroup) and
(ct.request.publiclyAccessible="true" or
ct.request.storageEncrypted="false" or
ct.request.deletionProtection="false")
output: >
Critical RDS security change detected
(user=%ct.user event=%ct.name resource=%ct.request.dBInstanceIdentifier
region=%ct.region account=%ct.account)
priority: CRITICAL
source: aws_cloudtrail
tags: [terraform, drift, rds, security, critical]
# RDS Configuration Drift
- rule: RDS Configuration Drift
desc: Detect RDS configuration changes
condition: >
ct.name in (ModifyDBInstance, ModifyDBCluster, ModifyDBParameterGroup,
ModifyDBSubnetGroup, ModifyOptionGroup)
output: >
RDS configuration modified outside Terraform
(user=%ct.user event=%ct.name resource=%ct.request.dBInstanceIdentifier
region=%ct.region)
priority: WARNING
source: aws_cloudtrail
tags: [terraform, drift, rds, configuration]
# RDS Backup Integrity
- rule: RDS Snapshot Deleted
desc: Track RDS snapshot deletions for compliance
condition: ct.name in (DeleteDBSnapshot, DeleteDBClusterSnapshot)
output: >
RDS snapshot deleted - verify retention policy
(user=%ct.user snapshot=%ct.request.dBSnapshotIdentifier
region=%ct.region)
priority: HIGH
source: aws_cloudtrail
tags: [terraform, drift, rds, backup, compliance]
# RDS Cost Impact
- rule: RDS Read Replica Created
desc: Track read replica creation for cost management
condition: ct.name="CreateDBInstanceReadReplica"
output: >
RDS read replica created - review capacity and cost
(user=%ct.user source=%ct.request.sourceDBInstanceIdentifier
replica=%ct.request.dBInstanceIdentifier region=%ct.region)
priority: WARNING
source: aws_cloudtrail
tags: [terraform, drift, rds, cost]
3. Test Event Detection
go test ./pkg/falco/... -v
All 169 CloudTrail events (including 31 RDS events) have 100% test coverage!
Best Practices
1. Deletion Protection
Always enable deletion protection in Terraform:
resource "aws_db_instance" "production" {
identifier = "production-db"
# Prevent accidental deletion
deletion_protection = true
# Require final snapshot
skip_final_snapshot = false
final_snapshot_identifier = "production-db-final-snapshot"
# Other configuration...
}
2. Encryption at Rest
Enforce encryption for all databases:
resource "aws_db_instance" "secure" {
identifier = "secure-db"
# Encryption
storage_encrypted = true
kms_key_id = aws_kms_key.rds.arn
# Other configuration...
}
3. Network Isolation
Never expose databases publicly:
resource "aws_db_instance" "private" {
identifier = "private-db"
# Network security
publicly_accessible = false
db_subnet_group_name = aws_db_subnet_group.private.name
vpc_security_group_ids = [aws_security_group.rds.id]
# Other configuration...
}
4. Backup Configuration
Configure automated backups:
resource "aws_db_instance" "backed_up" {
identifier = "backed-up-db"
# Backup configuration
backup_retention_period = 30
backup_window = "03:00-04:00"
# Enable automated backups
skip_final_snapshot = false
# Other configuration...
}
5. Parameter Group Management
Use custom parameter groups for production:
resource "aws_db_parameter_group" "production" {
name = "production-postgres-13"
family = "postgres13"
# Security parameters
parameter {
name = "rds.force_ssl"
value = "1"
}
parameter {
name = "log_statement"
value = "all"
}
parameter {
name = "log_min_duration_statement"
value = "1000" # Log queries > 1 second
}
}
What's Next
We're continuing toward the v0.3.0 milestone (198 events). Remaining services:
- SageMaker - ML model deployment tracking
- DynamoDB Enhanced - Additional table operations
- VPC Enhanced - More network infrastructure events
29 events remaining to reach v0.3.0!
Community
- GitHub: github.com/higakikeita/tfdrift-falco
- Documentation: tfdrift-falco.vercel.app
- Issues: Report bugs or request features
Ready to enhance your RDS drift detection? Update to the latest version today and start monitoring your databases in real-time!
git clone https://github.com/higakikeita/tfdrift-falco.git
cd tfdrift-falco
make install
Happy drift hunting! 🗃️