RDS Rules
These rules identify RDS instances using outdated instance classes and instances that have been idle with no database connections.
| Rule ID | Scan Type | Name |
|---|---|---|
| CLDBRN-AWS-RDS-1 | Discovery and IaC | RDS Instance Class Not Preferred |
| CLDBRN-AWS-RDS-2 | Discovery | RDS DB Instance Idle |
CLDBRN-AWS-RDS-1
RDS Instance Class Not Preferred
Scan type: Discovery and IaC
What it checks
Flags RDS DB instances using older-generation instance classes. The preferred classes offer better performance per dollar and are AWS's recommended choices for new and existing workloads.
Preferred instance classes:
| Class | Best For |
|---|---|
db.m8g | General-purpose workloads (Graviton4) |
db.r8g | Memory-intensive workloads (Graviton4) |
db.m7i | General-purpose workloads (Intel x86) |
db.r7i | Memory-intensive workloads (Intel x86) |
db.t4g | Dev/test and burstable workloads (Graviton2) |
Non-preferred classes that trigger findings: db.m1–db.m6, db.r3–db.r6, db.t2–db.t3.
Why it matters
Older-generation RDS instance classes are less performant and often more expensive than their current-generation equivalents. Graviton-based classes (db.m8g, db.r8g, db.t4g) provide 20-35% better price/performance than equivalent Intel x86 classes.
What triggers a finding
The DB instance class family matches one of the non-preferred generations listed above.
How to remediate
Modify the DB instance to use a preferred class. For production instances, use a Multi-AZ failover to minimize downtime:
aws rds modify-db-instance \
--db-instance-identifier my-db \
--db-instance-class db.m8g.large \
--apply-immediately
For Graviton migrations, verify engine compatibility first — most engines on RDS support Graviton, but check the specific engine version and region availability.
IaC resources checked
| IaC Tool | Resource Type |
|---|---|
| Terraform | aws_db_instance |
| CloudFormation | AWS::RDS::DBInstance |
CLDBRN-AWS-RDS-2
RDS DB Instance Idle
Scan type: Discovery
What it checks
Flags RDS DB instances that have had zero database connections over the past 7 days. An instance with no connections is not serving any application traffic and is a candidate for deletion or suspension.
Why it matters
RDS instances are billed by the hour for provisioned compute and storage, regardless of whether any application is connected. An idle db.m7i.large Multi-AZ instance costs over $300/month. Development and staging databases that are forgotten after a project ends are a common source of unnecessary RDS spend.
What triggers a finding
maxDatabaseConnectionsLast7Days is 0.
How to remediate
- Verify no application is using the instance (check application logs, not just the CloudWatch metric)
- If truly idle, choose one of:
- Stop the instance: RDS can be stopped for up to 7 days at a time. Storage charges continue but compute stops.
- Delete the instance: Take a final snapshot, then delete.
- Migrate to Aurora Serverless v2: For intermittent workloads, Aurora Serverless v2 scales to zero ACUs when idle, eliminating compute cost between bursts.
# Create final snapshot and delete
aws rds create-db-snapshot \
--db-instance-identifier my-db \
--db-snapshot-identifier my-db-final-snapshot
aws rds delete-db-instance \
--db-instance-identifier my-db \
--skip-final-snapshot
See Also
- CLI discover command — scan live RDS instances
- CLI scan command — scan IaC templates for RDS issues
- SDK Reference — run scans programmatically