Note This list isn't exhaustive, please add to it!

We don't have any (meaningful) RDS constructs yet. Some of the RDS defaults aren't very helpful, for example StorageEncrypted:

A value that indicates whether the DB instance is encrypted. By default, it isn't encrypted.
Update requires: Replacement

That is, making an RDS database encrypted after the fact, and retaining data, is not trivial.

We should provide an opinionated RDS construct that includes:

• Encryption
• Frequent backups
• IAM Auth (where supported)
• Placement in the private subnets, and not publicly available
• Multi AZ
• Monitoring
• RDS Proxy for spiky workloads (e.g. as used by Pinboard)
• Secrets manager for root password (already a default of AWS CDK)
• A serverless/non-serverless variant?
• Bastian host? via https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.BastionHostLinux.html?
• Use the rds-ca-rsa2048-g1 certificate authority over the default rds-ca-2019. rds-ca-rsa2048-g1 offers automatic rotation, whereas rds-ca-2019 is manual.¹