List cluster members and the AZ each instance is pinned to; flag clusters where all members land in one AZ. Add a reader in a different AZ with create-db-cluster-instance --availability-zone, matching the writer's instance class and setting PromotionTier 1. Trigger a controlled failover-db-cluster to the new reader, time the cutover, and record the RTO in the DR runbook. Prevent recurrence with the Config rule rds-cluster-multi-az-enabled and IaC lint requiring at least two AZs per cluster.

Compliance High severity

AWS Security Hub · RDS

RDS.15: The RDS or Aurora cluster is single-AZ

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub RDS.15 check?

RDS.15 checks whether an RDS DB cluster is configured for multiple Availability Zones. It reports FAILED when every instance member of the cluster sits in a single AZ. It is distinct from RDS.5, which covers classic Multi-AZ on standalone instances.

Why does RDS.15 matter?

Aurora's storage layer is replicated six ways across three AZs automatically, which masks a blind spot: the instances that actually serve queries are ordinary VMs pinned to one AZ. If they all live in the same AZ and that AZ loses power or network, the cluster cannot fail over — there is no healthy reader to promote, so it waits, potentially for hours, until AWS restores the zone. The data survives; the service goes dark.

How do I fix RDS.15?

List cluster members and the AZ each instance is pinned to; flag clusters where all members land in one AZ.
Add a reader in a different AZ with create-db-cluster-instance --availability-zone, matching the writer's instance class and setting PromotionTier 1.
Trigger a controlled failover-db-cluster to the new reader, time the cutover, and record the RTO in the DR runbook.
Prevent recurrence with the Config rule rds-cluster-multi-az-enabled and IaC lint requiring at least two AZs per cluster.

Remediation script · bash

# Fix the highest-impact data stores first: enable Multi-AZ on production databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?MultiAZ==`false` && DBClusterIdentifier==null].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --multi-az --apply-immediately
  echo "$db: standby being provisioned in a second AZ"
done

# Span a stateless compute fleet across three AZs, then mirror the set on its load balancer.
aws autoscaling update-auto-scaling-group --auto-scaling-group-name web-tier-asg \
  --vpc-zone-identifier "subnet-0aaa1,subnet-0bbb2,subnet-0ccc3"
aws elbv2 set-subnets --load-balancer-arn "$ALB_ARN" \
  --subnets subnet-0aaa1 subnet-0bbb2 subnet-0ccc3

Full walkthrough (console steps, edge cases and verification) in the lesson Deploy across multiple Availability Zones.

Is RDS.15 a false positive?

"Aurora is already multi-AZ" refers to the storage layer, not the instances. A cluster with a reader in the same AZ as the writer still fails RDS.15 — the control counts distinct instance AZs, not storage replicas.

Full lesson Deploy across multiple Availability Zones Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for RDS controls ↗ Check your own account for RDS.15 →

Part of the learning path Tighten your databases

RDS.1 An RDS snapshot is shared publicly
RDS.2 An RDS instance is publicly accessible from the internet
RDS.3 RDS DB instances should be encrypted at rest
RDS.4 RDS snapshots should be encrypted at rest
RDS.5 RDS DB instances should use multiple AZs
RDS.6 RDS lacks enhanced monitoring
RDS.7 RDS clusters should have deletion protection
RDS.8 RDS DB instances should have deletion protection
RDS.9 RDS engine logs are not shipped to CloudWatch
RDS.10 RDS relies on long-lived database passwords
RDS.11 RDS instances should have automatic backups
RDS.12 IAM auth should be configured for RDS clusters