Open menu
-->

Enable Event Subscriptions for DB Security Groups Events

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Reliability
Performance
efficiency
Operational
excellence

Risk level: Low (generally tolerable level of risk)

Ensure that Amazon RDS event notification subscriptions are enabled for database security groups events. AWS RDS groups these events into categories that you can subscribe to. For example, if you subscribe to the "Configuration Change" category for database security groups, you will be notified when the RDS security groups configuration is changed.

Amazon RDS event subscriptions for database security groups are designed to provide incident notification of events that may affect the security, availability and reliability of the RDS instances associated with these security groups.

Audit

To determine if there are any RDS event subscriptions created for database security groups, available within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Event subscriptions.

04 In the Event subscriptions list, search for any RDS event notification subscriptions with the Source type configuration attribute set to Security groups. If there are no subscriptions with the Source type set to Security groups listed on the page, there are no RDS event subscriptions created for database security groups available within the selected AWS region.

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-event-subscriptions command (OSX/Linux/UNIX) using custom query filters to list the identifiers of all RDS event subscriptions created for database security groups in the selected AWS region:

aws rds describe-event-subscriptions
	--region us-east-1
	--query "EventSubscriptionsList[?SourceType == 'db-security-group'].CustSubscriptionId"

02 The command output should return the identifiers of the requested RDS event subscriptions:

[]

If the describe-event-subscriptions command output returns an empty array, i.e. [], as shown in the example above, there are no Amazon RDS event subscriptions created for database security groups available within the selected AWS region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To subscribe to Amazon RDS event notifications for database security groups, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the navigation panel, select Topics and click the Create new topic button.

04 In the Create new topic dialog box, enter a name and a display name for your new SNS topic then click Create Topic.

05 Open the newly created SNS topic configuration page by clicking on its Amazon Resource Name (ARN) link.

06 Under Subscription section click Create Subscription.

07 Select Email as subscription protocol from the Protocol dropdown list.

08 In the Endpoint box, enter the email address where you want to receive the RDS event notifications, then click Create Subscription to create the required subscription.

09 Use your preferred email client application to open the message received from AWS Notifications, then click on the appropriate link to confirm your new email subscription.

10 Now navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

11 In the left navigation panel, under Amazon RDS, click Event subscriptions.

12 On the Event subscriptions page, click Create event subscription to initiate the event subscription setup.

13 On the Create event subscription page, perform the following actions:

  1. Type a name for the event notification subscription in the Name box.
  2. For Send notifications to, choose ARN option, then select the Amazon Resource Name (ARN) of the AWS SNS topic created earlier in the Remediation section.
  3. Select Security groups from the Source type dropdown list then make sure that All security groups and All event categories configuration settings are enabled.
  4. Click Create to create your new RDS event notification subscription. The AWS console should now indicate that the event subscription is being created.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create a new SNS topic for sending AWS RDS database event notifications:

aws sns create-topic
	--name cc-notify-me

02 The command output should return the ARN for the newly created AWS SNS topic:

{
   "TopicArn": "arn:aws:sns:us-east-1:12345678901:cc-notify-me"
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (the email address provided as endpoint):

aws sns subscribe
	--topic-arn arn:aws:sns:us-east-1:123456789012:cc-notify-me
	--protocol email
	--notification-endpoint notifyme@cloudconformity.com

04 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the email subscription by validating the token sent to the notification endpoint selected (the command does not produce an output):

aws sns confirm-subscription
	--topic-arn arn:aws:sns:us-east-1:123456789012:cc-notify-me                                                                                   --token bet9e15f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727cesb2474bb937929d3bdd7ce5d0cce19325d036bc498d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da71efb7d8832

05 Run create-event-subscription command (OSX/Linux/UNIX) to create the necessary event notification subscription for RDS database security group events:

aws rds create-event-subscription
	--region us-east-1
	--subscription-name cc-db-sg-event-subscription
	--sns-topic-arn arn:aws:sns:us-east-1:123456789012:cc-notify-me
	--source-type db-security-group
	--event-categories "failure" "configuration change"
	--enabled

06 The command output should return the new event subscription metadata:

{
    "EventSubscription": {
        "Status": "creating",
        "SubscriptionCreationTime": "Wed Apr 18 19:15:00 UTC 2018",
        "SourceType": "db-security-group",
        "EventCategoriesList": [
            "failure",
            "configuration change"
        ],
        "EventSubscriptionArn": "arn:aws:rds:us-east-1:123456789012:es:cc-db-sg-event-subscription",
        "CustSubscriptionId": "cc-db-sg-event-subscription",
        "Enabled": true,
        "SnsTopicArn": "arn:aws:sns:us-east-1:123456789012:cc-notify-me",
        "CustomerAwsId": "123456789012"
    }
}

References

Publication date Apr 19, 2018