Automated Discovery and Assessment of PaaS Databases with Lambda Service for Qualys Policy Compliance

In the last several years, Platform as a Service (PaaS) solutions have evolved and matured. As organizations have focused on digital transformation, there has been a major shift towards adopting PaaS solutions driven by benefits including scalability, agility, faster deployment, and cost-effective maintenance.

However, when it comes to security and compliance, PaaS environments differ from traditional on-premises data centers. Changing the focus from network-centric security parameters to identity-specific ones comes with inherent challenges. The risk mitigation model used for on-prem instances cannot be replicated in cloud environments for various reasons. 

Introducing Lambda RDS Discovery and Scan Service (LRDSS)

Qualys offers a new innovative solution for securing databases in Amazon AWS PaaS environments. Lambda RDS Discovery and Scan Service (LRDSS) enables you to manage the security and compliance of your RDS instances via Qualys Policy Compliance (PC), so that you secure them the same as your on-premises services. Being a shared platform, security and compliance for database PaaS services become the shared responsibility of the PaaS vendor and its customers. Due to the underlying infrastructural and architectural complexities, the way you secure your PaaS infrastructure is a big differentiator in security and compliance assessments.

LRDSS helps you overcome a number of challenges in managing the security and compliance of RDS instances, particularly around integrating them into an organization’s global compliance program. It also automates the end-to-end workflow including creation of authentication records, handling the dynamic IPs of the RDS instances, initiating scans and so on, without any manual intervention, which substantially reduces the users’ efforts. 

Challenge 1: Inventory Your RDS Instances  

Organizations tend to manage their PaaS infrastructure separately from their on-premises infrastructure, which makes it difficult to have a comprehensive, global compliance program.

LRDSS enables you to collect an inventory of RDS instances across regions in an AWS account and represent the data as asset groups in Qualys Policy Compliance.

 Challenge 2: Tracking and Assessing RDS Instances with Dynamic IPs 

RDS instances don’t have static IPs, which makes it difficult for enterprises to get recent IP addresses, especially when a large number of RDS instances are spread across multiple regions and accounts. The IP may change whenever the RDS instance goes into maintenance or failover mode. Because of the dynamic nature of IPs, users may have too many IPs to track. Moreover, every IP consumes a license. Older IPs updated for RDS need to be removed – adding to the overhead. 

Ensure the Overall Security Posture of Your Databases with LRDSS

LRDSS leverages AWS Lambda to discover all the RDS instances in an AWS-enabled PaaS environment, including the corresponding database credentials and their associated dynamic IPs. LRDSS then feeds this information into Qualys PC in the same way as any other instance information, so that it can be processed as typical asset data for compliance evaluation. Upon successful execution, the discovered RDS instances are displayed on the PC dashboard, and can be referenced by the IP addresses and canonical host names associated at the time of the RDS discovery.

LRDSS helps collect an inventory of RDS instances, represent the data as asset groups in Qualys PC, and initiate scans for the discovered instances in various network segments (Amazon Virtual Private Clouds or VPCs). With this solution, users can view all asset-related data and their compliance posture in Qualys Policy Compliance.

Without requiring manual intervention, LRDSS automates the entire workflow, which includes: 

  • Discovering the RDS instances present across all regions 
  • Identifying the current IP addresses 
  • Checking the network connectivity between the scanner appliance and RDS instance using the routing rules 
  • Creating authentication records 
  • Handling the dynamic IPs of the RDS instances 
  • Initiating scans 
  • Maintaining a detailed log of actions performed on the assets and the relationship of IPs with the RDS instances 

Security and Compliance Across All Your Assets

With cloud adoption proliferating across the industry, organizations are facing a higher database security risk. At times, organizations lack visibility into the various security requirements while using managed services such as AWS RDS. With this new LRDSS feature, Qualys not only makes it easy to access your RDS instances and fetch their information, but it reduces the efforts involved in achieving compliance in a cost-effective way. With LRDSS, the RDS instances are treated as all other assets in your asset system, so that you can easily know their health and compliance posture, similar to the databases running on traditional, on-prem infrastructure.


Nikhil Kumar, Signature Engineer, Qualys

This post was first first published on Qualys Security Blog’ website by Pronamika Abraham. You can view it by clicking here