{
    "Behavior": "PROACTIVE",
    "ComplianceFrameworkMappings": [
        {
            "ComplianceFramework": "NIST 800-53 Rev 5",
            "Ids": [
                "AC-4",
                "AC-4(21)",
                "CM-8(1)",
                "SC-7",
                "SC-7(11)",
                "SC-7(16)",
                "SC-7(21)",
                "SC-7(4)",
                "SC-7(5)"
            ]
        },
        {
            "ComplianceFramework": "PCI DSS version 3.2.1",
            "Ids": [
                "1.2.1",
                "1.3",
                "1.3.1",
                "1.3.2",
                "1.3.4",
                "1.3.6",
                "2.1",
                "2.2",
                "2.2.2"
            ]
        }
    ],
    "ConfigRuleIdentifier": "RDS_DB_SECURITY_GROUP_NOT_ALLOWED",
    "ControlOwner": "AWS Control Tower",
    "DeploymentMechanism": "AWS CloudFormation Hook",
    "DeploymentOwner": "AWS Control Tower",
    "Description": "This control checks whether any Amazon Relational Database Services (RDS) database (DB) security groups are created by, or associated to, an RDS DB instance, because DB security groups are intended for the EC2-Classic platform only.",
    "DisplayName": "Require that an Amazon RDS instance does not create DB security groups",
    "DocumentationReferences": [
        {
            "DisplayName": "Provide access to your DB instance in your VPC by creating a security group",
            "Type": "AWS Documentation",
            "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SettingUp.html#CHAP_SettingUp.SecurityGroup"
        }
    ],
    "EvaluatedResourceTypes": [
        "AWS::RDS::DBInstance",
        "AWS::RDS::DBSecurityGroup"
    ],
    "EvaluatedServices": [
        "Amazon RDS"
    ],
    "Guidance": "Elective",
    "Id": "CT.RDS.PR.15",
    "ImplementationType": "CloudFormation guard rule",
    "MinimumSupportedRuntimeVersion": "2.1",
    "Objectives": [
        {
            "Id": "CO.6",
            "Name": "Limit network access"
        }
    ],
    "RegionalPreference": "REGIONAL",
    "ReleaseDate": "2022-11-28",
    "RemediationMessage": "Omit the 'DBSecurityGroups' property. Instead, configure Amazon VPC security groups by means of the 'VPCSecurityGroups' property.",
    "Severity": "MEDIUM",
    "SupportedRegions": [
        "af-south-1",
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-northeast-3",
        "ap-south-1",
        "ap-south-2",
        "ap-southeast-1",
        "ap-southeast-2",
        "ap-southeast-3",
        "ap-southeast-4",
        "ca-central-1",
        "eu-central-1",
        "eu-central-2",
        "eu-north-1",
        "eu-south-1",
        "eu-south-2",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "il-central-1",
        "me-central-1",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-west-1",
        "us-west-2"
    ],
    "TargetOuType": "CUSTOM",
    "Version": "1",
    "Visibility": "PUBLIC"
}