Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
On June 1, 2026, Microsoft Defender for Open-Source Relational Databases for AWS RDS transitions to General Availability, and billing starts with usage reflected in your July 2026 bill. You continue to receive database threat protection and sensitive data discovery capabilities for supported AWS RDS databases. No action is required if you want to keep the protection enabled. To opt out before charges begin, follow the instructions in Disable the plan.
The Defender for open-source relational databases plan in Microsoft Defender for Cloud helps you detect and investigate unusual activity in your AWS RDS databases. This preview supports the following database instance types:
- Aurora PostgreSQL
- Aurora MySQL
- PostgreSQL
- MySQL
- MariaDB
This article explains how to enable Defender for open-source relational databases on AWS so that you can start receiving alerts for suspicious activity.
When you enable this plan, Defender for Cloud also discovers sensitive data in your AWS account and enriches security insights with these findings. This capability is also included in Defender Cloud Security Posture Management (CSPM).
Learn more about this Microsoft Defender plan in Overview of Microsoft Defender for open-source relational databases.
Prerequisites
You need a Microsoft Azure subscription. If you don't have one, you can sign up for a free subscription.
You must enable Microsoft Defender for Cloud on your Azure subscription.
At least one connected AWS account with the required access and permissions.
Region availability: All public AWS regions (excluding Tel Aviv, Milan, Jakarta, Spain, and Bahrain).
Enable Defender for open-source relational databases
To enable Defender for open-source relational databases on AWS:
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud.
Select Environment settings.
Select the relevant AWS account.
Locate the Databases plan and select Settings.
Toggle open-source relational databases to On.
Note
Turning on Open-source relational databases also enables Sensitive data discovery, a shared feature with Defender CSPM for relational database service (RDS) resources.
Learn more about sensitive data discovery in AWS RDS instances.
Select Configure access.
In the deployment method section, select Download.
Follow the instructions to update the stack in AWS. This process creates or updates the CloudFormation template with the required permissions.
Select the checkbox to confirm that the CloudFormation template was updated in your AWS environment (stack).
Select Review and generate.
Review the information and select Update.
Defender for Cloud then automatically updates the relevant parameter and option group settings.
Required permissions for DefenderForCloud-DataThreatProtectionDB role
The following permissions are required for the role that is created or updated when you download the CloudFormation template and update the AWS stack. These permissions allow Defender for Cloud to configure auditing and collect database activity logs from your AWS RDS instances.
| Permission | Description |
|---|---|
| rds:AddTagsToResource | Adds tags on option and parameter groups created by the plan. |
| rds:DescribeDBClusterParameters | Describes parameters inside the cluster group. |
| rds:CreateDBParameterGroup | Creates a database parameter group. |
| rds:ModifyOptionGroup | Modifies options inside an option group. |
| rds:DescribeDBLogFiles | Describes database log files. |
| rds:DescribeDBParameterGroups | Describes database parameter groups. |
| rds:CreateOptionGroup | Creates an option group. |
| rds:ModifyDBParameterGroup | Modifies parameters inside database parameter groups. |
| rds:DownloadDBLogFilePortion | Downloads log file portions. |
| rds:DescribeDBInstances | Describes database instances. |
| rds:ModifyDBClusterParameterGroup | Modifies cluster parameters inside the cluster parameter group. |
| rds:ModifyDBInstance | Modifies databases to assign parameter or option groups as needed. |
| rds:ModifyDBCluster | Modifies clusters to assign cluster parameter groups as needed. |
| rds:DescribeDBParameters | Describes parameters inside the database group. |
| rds:CreateDBClusterParameterGroup | Creates a cluster parameter group. |
| rds:DescribeDBClusters | Describes clusters. |
| rds:DescribeDBClusterParameterGroups | Describes cluster parameter groups. |
| rds:DescribeOptionGroups | Describes option groups. |
Affected parameter and option group settings
When you enable Defender for open-source relational databases, Defender for Cloud automatically configures auditing parameters in your RDS instances to consume and analyze access patterns. You don't need to modify these settings manually. They're listed here for reference.
| Type | Parameter | Value |
|---|---|---|
| PostgreSQL and Aurora PostgreSQL | log_connections | 1 |
| PostgreSQL and Aurora PostgreSQL | log_disconnections | 1 |
| Aurora MySQL cluster parameter group | server_audit_logging | 1 |
| Aurora MySQL cluster parameter group | server_audit_events | - If it exists, expand the value to include CONNECT, QUERY, - If it doesn't exist, add it with the value CONNECT, QUERY. |
| Aurora MySQL cluster parameter group | server_audit_excl_users | If it exists, expand it to include rdsadmin. |
| Aurora MySQL cluster parameter group | server_audit_incl_users | If this setting exists and includes rdsadmin, remove rdsadmin from SERVER_AUDIT_EXCL_USER and leave this setting empty. |
An option group is required for MySQL and MariaDB with the following options for the MARIADB_AUDIT_PLUGIN.
If the option doesn’t exist, add it; if it exists, expand the values as needed.
| Option name | Value |
|---|---|
| SERVER_AUDIT_EVENTS | If it exists, expand the value to include CONNECT If it doesn't exist, add it with value CONNECT. |
| SERVER_AUDIT_EXCL_USER | If it exists, expand it to include rdsadmin. |
| SERVER_AUDIT_INCL_USERS | If this setting exists and includes rdsadmin, remove rdsadmin from SERVER_AUDIT_EXCL_USER and leave this setting empty. |
Important
You might need to reboot your instances to apply these changes.
If you're using the default parameter group, Defender for Cloud creates a new parameter group with the required changes and the prefix defenderfordatabases*.
If you create a new parameter group or update static parameters, the changes don't take effect until you reboot the instance.
Note
If a parameter group already exists, Defender for Cloud updates it.
MARIADB_AUDIT_PLUGINis supported in MariaDB 10.2 and later, MySQL 8.0.25 and later, and all MySQL 5.7 versions.Changes that Defender for Cloud makes to the
MARIADB_AUDIT_PLUGINfor MySQL instances are applied during the next maintenance window. For more information, see MARIADB_AUDIT_PLUGIN for MySQL instances.
Disable the plan
To disable Defender for open-source relational databases on AWS RDS:
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud > Environment settings.
Select the relevant AWS account.
Locate the Databases plan and select Settings.
Toggle open-source relational databases to Off.
Select Save.