For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-rds-multi-az-deployment-disabled.md.
A documentation index is available at /llms.txt.
RDS DB instances should be deployed across multiple Availability Zones to ensure high availability and reduce the risk of extended outage or data loss caused by an Availability Zone failure or planned maintenance. In AWS CloudFormation, the AWS::RDS::DBInstance resource must have the MultiAZ property set to true. Resources with MultiAZ set to false or missing the MultiAZ property (which defaults to disabled) will be flagged.
AWSTemplateFormatVersion:2010-09-09Description:"AWS CloudFormation Sample Template RDS_MySQL_With_Read_Replica:
Sample template showing how to create a highly-available, RDS DBInstance with
a read replica. **WARNING** This template creates an Amazon Relational
Database Service database instance and Amazon CloudWatch alarms. You will be
billed for the AWS resources used if you create a stack from this template."Parameters:DBName:Default:MyDatabaseDescription:The database nameType:StringMinLength:"1"MaxLength:"64"AllowedPattern:"[a-zA-Z][a-zA-Z0-9]*"ConstraintDescription:must begin with a letter and contain only alphanumeric characters.DBUser:NoEcho:"true"Description:The database admin account usernameType:StringMinLength:"1"MaxLength:"16"AllowedPattern:"[a-zA-Z][a-zA-Z0-9]*"ConstraintDescription:must begin with a letter and contain only alphanumeric characters.DBPassword:NoEcho:"true"Description:The database admin account passwordType:StringMinLength:"1"MaxLength:"41"AllowedPattern:"[a-zA-Z0-9]+"ConstraintDescription:must contain only alphanumeric characters.DBAllocatedStorage:Default:"5"Description:The size of the database (Gb)Type:NumberMinValue:"5"MaxValue:"1024"ConstraintDescription:must be between 5 and 1024Gb.DBInstanceClass:Description:The database instance typeType:StringDefault:db.t2.smallAllowedValues:- db.t1.micro- db.m1.small- db.m1.medium- db.m1.large- db.m1.xlarge- db.m2.xlarge- db.m2.2xlarge- db.m2.4xlarge- db.m3.medium- db.m3.large- db.m3.xlarge- db.m3.2xlarge- db.m4.large- db.m4.xlarge- db.m4.2xlarge- db.m4.4xlarge- db.m4.10xlarge- db.r3.large- db.r3.xlarge- db.r3.2xlarge- db.r3.4xlarge- db.r3.8xlarge- db.m2.xlarge- db.m2.2xlarge- db.m2.4xlarge- db.cr1.8xlarge- db.t2.micro- db.t2.small- db.t2.medium- db.t2.largeConstraintDescription:must select a valid database instance type.EC2SecurityGroup:Description:The EC2 security group that contains instances that need access tothe databaseDefault:defaultType:StringAllowedPattern:"[a-zA-Z0-9\\-]+"ConstraintDescription:must be a valid security group name.Conditions:Is-EC2-VPC:Fn::Or:- Fn::Equals:- Ref:AWS::Region- eu-central-1- Fn::Equals:- Ref:AWS::Region- cn-north-1Is-EC2-Classic:Fn::Not:- Condition:Is-EC2-VPCResources:DBEC2SecurityGroup:Type:AWS::EC2::SecurityGroupCondition:Is-EC2-VPCProperties:GroupDescription:Open database for accessSecurityGroupIngress:- IpProtocol:tcpFromPort:3306ToPort:3306SourceSecurityGroupName:Ref:EC2SecurityGroupDBSecurityGroup:Type:AWS::RDS::DBSecurityGroupCondition:Is-EC2-ClassicProperties:DBSecurityGroupIngress:- EC2SecurityGroupName:Ref:EC2SecurityGroupGroupDescription:database accessMasterDB:Type:AWS::RDS::DBInstanceProperties:DBName:Ref:DBNameAllocatedStorage:Ref:DBAllocatedStorageDBInstanceClass:Ref:DBInstanceClassEngine:MySQLMasterUsername:Ref:DBUserMasterUserPassword:Ref:DBPasswordMultiAZ:trueTags:- Key:NameValue:Master DatabaseVPCSecurityGroups:Fn::If:- Is-EC2-VPC- - Fn::GetAtt:- DBEC2SecurityGroup- GroupId- Ref:AWS::NoValueDBSecurityGroups:Fn::If:- Is-EC2-Classic- - Ref:DBSecurityGroup- Ref:AWS::NoValueDeletionPolicy:SnapshotUpdateReplacePolicy:SnapshotReplicaDB:Type:AWS::RDS::DBInstanceProperties:SourceDBInstanceIdentifier:Ref:MasterDBDBInstanceClass:Ref:DBInstanceClassMultiAZ:trueTags:- Key:NameValue:Read Replica DatabaseOutputs:EC2Platform:Description:Platform in which this stack is deployedValue:Fn::If:- Is-EC2-VPC- EC2-VPC- EC2-ClassicMasterJDBCConnectionString:Description:JDBC connection string for the master databaseValue:Fn::Join:- ""- - jdbc:mysql://- Fn::GetAtt:- MasterDB- Endpoint.Address- ":"- Fn::GetAtt:- MasterDB- Endpoint.Port- /- Ref:DBNameReplicaJDBCConnectionString:Description:JDBC connection string for the replica databaseValue:Fn::Join:- ""- - jdbc:mysql://- Fn::GetAtt:- ReplicaDB- Endpoint.Address- ":"- Fn::GetAtt:- ReplicaDB- Endpoint.Port- /- Ref:DBName
{"Resources":{"DBEC2SecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Condition":"Is-EC2-VPC","Properties":{"GroupDescription":"Open database for access","SecurityGroupIngress":[{"IpProtocol":"tcp","FromPort":3306,"ToPort":3306,"SourceSecurityGroupName":{"Ref":"EC2SecurityGroup"}}]}},"DBSecurityGroup":{"Type":"AWS::RDS::DBSecurityGroup","Condition":"Is-EC2-Classic","Properties":{"DBSecurityGroupIngress":[{"EC2SecurityGroupName":{"Ref":"EC2SecurityGroup"}}],"GroupDescription":"database access"}},"MasterDB":{"Type":"AWS::RDS::DBInstance","Properties":{"VPCSecurityGroups":{"Fn::If":["Is-EC2-VPC",[{"Fn::GetAtt":["DBEC2SecurityGroup","GroupId"]}],{"Ref":"AWS::NoValue"}]},"DBSecurityGroups":{"Fn::If":["Is-EC2-Classic",[{"Ref":"DBSecurityGroup"}],{"Ref":"AWS::NoValue"}]},"DBName":{"Ref":"DBName"},"AllocatedStorage":{"Ref":"DBAllocatedStorage"},"DBInstanceClass":{"Ref":"DBInstanceClass"},"MasterUserPassword":{"Ref":"DBPassword"},"MultiAZ":true,"Engine":"MySQL","MasterUsername":{"Ref":"DBUser"},"Tags":[{"Key":"Name","Value":"Master Database"}]},"DeletionPolicy":"Snapshot","UpdateReplacePolicy":"Snapshot"},"ReplicaDB":{"Type":"AWS::RDS::DBInstance","Properties":{"SourceDBInstanceIdentifier":{"Ref":"MasterDB"},"DBInstanceClass":{"Ref":"DBInstanceClass"},"MultiAZ":true,"Tags":[{"Key":"Name","Value":"Read Replica Database"}]}}},"Outputs":{"EC2Platform":{"Description":"Platform in which this stack is deployed","Value":{"Fn::If":["Is-EC2-VPC","EC2-VPC","EC2-Classic"]}},"MasterJDBCConnectionString":{"Description":"JDBC connection string for the master database","Value":{"Fn::Join":["",["jdbc:mysql://",{"Fn::GetAtt":["MasterDB","Endpoint.Address"]},":",{"Fn::GetAtt":["MasterDB","Endpoint.Port"]},"/",{"Ref":"DBName"}]]}},"ReplicaJDBCConnectionString":{"Description":"JDBC connection string for the replica database","Value":{"Fn::Join":["",["jdbc:mysql://",{"Fn::GetAtt":["ReplicaDB","Endpoint.Address"]},":",{"Fn::GetAtt":["ReplicaDB","Endpoint.Port"]},"/",{"Ref":"DBName"}]]}}},"AWSTemplateFormatVersion":"2010-09-09T00:00:00Z","Description":"AWS CloudFormation Sample Template RDS_MySQL_With_Read_Replica: Sample template showing how to create a highly-available, RDS DBInstance with a read replica. **WARNING** This template creates an Amazon Relational Database Service database instance and Amazon CloudWatch alarms. You will be billed for the AWS resources used if you create a stack from this template.","Parameters":{"DBName":{"MaxLength":"64","AllowedPattern":"[a-zA-Z][a-zA-Z0-9]*","ConstraintDescription":"must begin with a letter and contain only alphanumeric characters.","Default":"MyDatabase","Description":"The database name","Type":"String","MinLength":"1"},"DBUser":{"NoEcho":"true","Description":"The database admin account username","Type":"String","MinLength":"1","MaxLength":"16","AllowedPattern":"[a-zA-Z][a-zA-Z0-9]*","ConstraintDescription":"must begin with a letter and contain only alphanumeric characters."},"DBPassword":{"NoEcho":"true","Description":"The database admin account password","Type":"String","MinLength":"1","MaxLength":"41","AllowedPattern":"[a-zA-Z0-9]+","ConstraintDescription":"must contain only alphanumeric characters."},"DBAllocatedStorage":{"Default":"5","Description":"The size of the database (Gb)","Type":"Number","MinValue":"5","MaxValue":"1024","ConstraintDescription":"must be between 5 and 1024Gb."},"DBInstanceClass":{"Type":"String","Default":"db.t2.small","AllowedValues":["db.t1.micro","db.m1.small","db.m1.medium","db.m1.large","db.m1.xlarge","db.m2.xlarge","db.m2.2xlarge","db.m2.4xlarge","db.m3.medium","db.m3.large","db.m3.xlarge","db.m3.2xlarge","db.m4.large","db.m4.xlarge","db.m4.2xlarge","db.m4.4xlarge","db.m4.10xlarge","db.r3.large","db.r3.xlarge","db.r3.2xlarge","db.r3.4xlarge","db.r3.8xlarge","db.m2.xlarge","db.m2.2xlarge","db.m2.4xlarge","db.cr1.8xlarge","db.t2.micro","db.t2.small","db.t2.medium","db.t2.large"],"ConstraintDescription":"must select a valid database instance type.","Description":"The database instance type"},"EC2SecurityGroup":{"Default":"default","Type":"String","AllowedPattern":"[a-zA-Z0-9\\-]+","ConstraintDescription":"must be a valid security group name.","Description":"The EC2 security group that contains instances that need access to the database"}},"Conditions":{"Is-EC2-VPC":{"Fn::Or":[{"Fn::Equals":[{"Ref":"AWS::Region"},"eu-central-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"cn-north-1"]}]},"Is-EC2-Classic":{"Fn::Not":[{"Condition":"Is-EC2-VPC"}]}}}
Non-Compliant Code Examples
AWSTemplateFormatVersion:2010-09-09Description:"AWS CloudFormation Sample Template RDS_MySQL_With_Read_Replica:
Sample template showing how to create a highly-available, RDS DBInstance with
a read replica. **WARNING** This template creates an Amazon Relational
Database Service database instance and Amazon CloudWatch alarms. You will be
billed for the AWS resources used if you create a stack from this template."Parameters:DBName:Default:MyDatabaseDescription:The database nameType:StringMinLength:"1"MaxLength:"64"AllowedPattern:"[a-zA-Z][a-zA-Z0-9]*"ConstraintDescription:must begin with a letter and contain only alphanumeric characters.DBUser:NoEcho:"true"Description:The database admin account usernameType:StringMinLength:"1"MaxLength:"16"AllowedPattern:"[a-zA-Z][a-zA-Z0-9]*"ConstraintDescription:must begin with a letter and contain only alphanumeric characters.DBPassword:NoEcho:"true"Description:The database admin account passwordType:StringMinLength:"1"MaxLength:"41"AllowedPattern:"[a-zA-Z0-9]+"ConstraintDescription:must contain only alphanumeric characters.DBAllocatedStorage:Default:"5"Description:The size of the database (Gb)Type:NumberMinValue:"5"MaxValue:"1024"ConstraintDescription:must be between 5 and 1024Gb.DBInstanceClass:Description:The database instance typeType:StringDefault:db.t2.smallAllowedValues:- db.t1.micro- db.m1.small- db.m1.medium- db.m1.large- db.m1.xlarge- db.m2.xlarge- db.m2.2xlarge- db.m2.4xlarge- db.m3.medium- db.m3.large- db.m3.xlarge- db.m3.2xlarge- db.m4.large- db.m4.xlarge- db.m4.2xlarge- db.m4.4xlarge- db.m4.10xlarge- db.r3.large- db.r3.xlarge- db.r3.2xlarge- db.r3.4xlarge- db.r3.8xlarge- db.m2.xlarge- db.m2.2xlarge- db.m2.4xlarge- db.cr1.8xlarge- db.t2.micro- db.t2.small- db.t2.medium- db.t2.largeConstraintDescription:must select a valid database instance type.EC2SecurityGroup:Description:The EC2 security group that contains instances that need access tothe databaseDefault:defaultType:StringAllowedPattern:"[a-zA-Z0-9\\-]+"ConstraintDescription:must be a valid security group name.Conditions:Is-EC2-VPC:Fn::Or:- Fn::Equals:- Ref:AWS::Region- eu-central-1- Fn::Equals:- Ref:AWS::Region- cn-north-1Is-EC2-Classic:Fn::Not:- Condition:Is-EC2-VPCResources:DBEC2SecurityGroup:Type:AWS::EC2::SecurityGroupCondition:Is-EC2-VPCProperties:GroupDescription:Open database for accessSecurityGroupIngress:- IpProtocol:tcpFromPort:3306ToPort:3306SourceSecurityGroupName:Ref:EC2SecurityGroupDBSecurityGroup:Type:AWS::RDS::DBSecurityGroupCondition:Is-EC2-ClassicProperties:DBSecurityGroupIngress:- EC2SecurityGroupName:Ref:EC2SecurityGroupGroupDescription:database accessMasterDB:Type:AWS::RDS::DBInstanceProperties:DBName:Ref:DBNameAllocatedStorage:Ref:DBAllocatedStorageDBInstanceClass:Ref:DBInstanceClassEngine:MySQLMasterUsername:Ref:DBUserMasterUserPassword:Ref:DBPasswordMultiAZ:falseTags:- Key:NameValue:Master DatabaseVPCSecurityGroups:Fn::If:- Is-EC2-VPC- - Fn::GetAtt:- DBEC2SecurityGroup- GroupId- Ref:AWS::NoValueDBSecurityGroups:Fn::If:- Is-EC2-Classic- - Ref:DBSecurityGroup- Ref:AWS::NoValueDeletionPolicy:SnapshotUpdateReplacePolicy:SnapshotReplicaDB:Type:AWS::RDS::DBInstanceProperties:SourceDBInstanceIdentifier:Ref:MasterDBDBInstanceClass:Ref:DBInstanceClassTags:- Key:NameValue:Read Replica DatabaseOutputs:EC2Platform:Description:Platform in which this stack is deployedValue:Fn::If:- Is-EC2-VPC- EC2-VPC- EC2-ClassicMasterJDBCConnectionString:Description:JDBC connection string for the master databaseValue:Fn::Join:- ""- - jdbc:mysql://- Fn::GetAtt:- MasterDB- Endpoint.Address- ":"- Fn::GetAtt:- MasterDB- Endpoint.Port- /- Ref:DBNameReplicaJDBCConnectionString:Description:JDBC connection string for the replica databaseValue:Fn::Join:- ""- - jdbc:mysql://- Fn::GetAtt:- ReplicaDB- Endpoint.Address- ":"- Fn::GetAtt:- ReplicaDB- Endpoint.Port- /- Ref:DBName
{"Conditions":{"Is-EC2-VPC":{"Fn::Or":[{"Fn::Equals":[{"Ref":"AWS::Region"},"eu-central-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"cn-north-1"]}]},"Is-EC2-Classic":{"Fn::Not":[{"Condition":"Is-EC2-VPC"}]}},"Resources":{"DBEC2SecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Condition":"Is-EC2-VPC","Properties":{"GroupDescription":"Open database for access","SecurityGroupIngress":[{"IpProtocol":"tcp","FromPort":3306,"ToPort":3306,"SourceSecurityGroupName":{"Ref":"EC2SecurityGroup"}}]}},"DBSecurityGroup":{"Type":"AWS::RDS::DBSecurityGroup","Condition":"Is-EC2-Classic","Properties":{"GroupDescription":"database access","DBSecurityGroupIngress":[{"EC2SecurityGroupName":{"Ref":"EC2SecurityGroup"}}]}},"MasterDB":{"Type":"AWS::RDS::DBInstance","Properties":{"DBSecurityGroups":{"Fn::If":["Is-EC2-Classic",[{"Ref":"DBSecurityGroup"}],{"Ref":"AWS::NoValue"}]},"DBName":{"Ref":"DBName"},"DBInstanceClass":{"Ref":"DBInstanceClass"},"Engine":"MySQL","MasterUserPassword":{"Ref":"DBPassword"},"MultiAZ":false,"AllocatedStorage":{"Ref":"DBAllocatedStorage"},"MasterUsername":{"Ref":"DBUser"},"Tags":[{"Key":"Name","Value":"Master Database"}],"VPCSecurityGroups":{"Fn::If":["Is-EC2-VPC",[{"Fn::GetAtt":["DBEC2SecurityGroup","GroupId"]}],{"Ref":"AWS::NoValue"}]}},"DeletionPolicy":"Snapshot","UpdateReplacePolicy":"Snapshot"},"ReplicaDB":{"Type":"AWS::RDS::DBInstance","Properties":{"SourceDBInstanceIdentifier":{"Ref":"MasterDB"},"DBInstanceClass":{"Ref":"DBInstanceClass"},"Tags":[{"Key":"Name","Value":"Read Replica Database"}]}}},"Outputs":{"ReplicaJDBCConnectionString":{"Description":"JDBC connection string for the replica database","Value":{"Fn::Join":["",["jdbc:mysql://",{"Fn::GetAtt":["ReplicaDB","Endpoint.Address"]},":",{"Fn::GetAtt":["ReplicaDB","Endpoint.Port"]},"/",{"Ref":"DBName"}]]}},"EC2Platform":{"Description":"Platform in which this stack is deployed","Value":{"Fn::If":["Is-EC2-VPC","EC2-VPC","EC2-Classic"]}},"MasterJDBCConnectionString":{"Description":"JDBC connection string for the master database","Value":{"Fn::Join":["",["jdbc:mysql://",{"Fn::GetAtt":["MasterDB","Endpoint.Address"]},":",{"Fn::GetAtt":["MasterDB","Endpoint.Port"]},"/",{"Ref":"DBName"}]]}}},"AWSTemplateFormatVersion":"2010-09-09T00:00:00Z","Description":"AWS CloudFormation Sample Template RDS_MySQL_With_Read_Replica: Sample template showing how to create a highly-available, RDS DBInstance with a read replica. **WARNING** This template creates an Amazon Relational Database Service database instance and Amazon CloudWatch alarms. You will be billed for the AWS resources used if you create a stack from this template.","Parameters":{"DBAllocatedStorage":{"MaxValue":"1024","ConstraintDescription":"must be between 5 and 1024Gb.","Default":"5","Description":"The size of the database (Gb)","Type":"Number","MinValue":"5"},"DBInstanceClass":{"AllowedValues":["db.t1.micro","db.m1.small","db.m1.medium","db.m1.large","db.m1.xlarge","db.m2.xlarge","db.m2.2xlarge","db.m2.4xlarge","db.m3.medium","db.m3.large","db.m3.xlarge","db.m3.2xlarge","db.m4.large","db.m4.xlarge","db.m4.2xlarge","db.m4.4xlarge","db.m4.10xlarge","db.r3.large","db.r3.xlarge","db.r3.2xlarge","db.r3.4xlarge","db.r3.8xlarge","db.m2.xlarge","db.m2.2xlarge","db.m2.4xlarge","db.cr1.8xlarge","db.t2.micro","db.t2.small","db.t2.medium","db.t2.large"],"ConstraintDescription":"must select a valid database instance type.","Description":"The database instance type","Type":"String","Default":"db.t2.small"},"EC2SecurityGroup":{"AllowedPattern":"[a-zA-Z0-9\\-]+","ConstraintDescription":"must be a valid security group name.","Description":"The EC2 security group that contains instances that need access to the database","Default":"default","Type":"String"},"DBName":{"Default":"MyDatabase","Description":"The database name","Type":"String","MinLength":"1","MaxLength":"64","AllowedPattern":"[a-zA-Z][a-zA-Z0-9]*","ConstraintDescription":"must begin with a letter and contain only alphanumeric characters."},"DBUser":{"NoEcho":"true","Description":"The database admin account username","Type":"String","MinLength":"1","MaxLength":"16","AllowedPattern":"[a-zA-Z][a-zA-Z0-9]*","ConstraintDescription":"must begin with a letter and contain only alphanumeric characters."},"DBPassword":{"NoEcho":"true","Description":"The database admin account password","Type":"String","MinLength":"1","MaxLength":"41","AllowedPattern":"[a-zA-Z0-9]+","ConstraintDescription":"must contain only alphanumeric characters."}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
