Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

RDS Event Notifications

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: RDS-029

Ensure that your Amazon RDS resources have event notifications enabled in order to get notifications when an event occurs for a given database instance, database snapshot, database security group, or database parameter group. The Amazon RDS service groups these events into categories that you can subscribe to, so that you can be notified via Amazon SNS when an event in that category occurs. For example, if you subscribe to the Backup category for a given database instance, you will be notified whenever a backup-related event occurs for the specified instance.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Reliability
Performance
efficiency
Cost
optimisation

Monitoring is an essential part of maintaining the availability, reliability, and performance of your Amazon RDS resources. Enabling event notifications will keep you up-to-date on everything that's going with your Amazon RDS database resources.

Audit

To determine if your Amazon RDS resources (instances, snapshots, security groups, etc.) are using event notifications, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, choose Event subscriptions, and check for any subscriptions available in the Event subscriptions section. If there are no event subscriptions listed in this section and the following message is shown: " No event subscription found.", the event notifications are not enabled for the Amazon RDS resources provisioned within the current AWS region.

04 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-event-subscriptions command (OSX/Linux/UNIX) with custom query filters to list the event subscriptions created for the Amazon RDS resources available within the selected AWS region: 

aws rds describe-event-subscriptions
  --region us-east-1
  --query 'EventSubscriptionsList'

02 The command output should return the requested information: 

[]

If the describe-event-subscriptions command output returns an empty array (i.e. []), as shown in the output example above, there are no event notifications created for the Amazon RDS resources (instances, snapshots, security and parameter groups), provisioned in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To subscribe to Amazon RDS event notifications so you can be notified when an important event occurs for a given RDS resource, perform the following operations:

Note: As an example, this conformity rule demonstrates how to subscribe to the Amazon RDS Backup category for a given database instance in order to be notified whenever a backup-related event that affects the specified instance occurs.

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Event Notifications for Amazon RDS Resources (DB Clusters)",
	"Parameters": {
		"MasterUsername": {
			"Type": "String"
		},
		"MasterPassword": {
			"Type": "String",
			"NoEcho": "true"
		}
	},
	"Resources": {
		"SNSTopic": {
			"Type": "AWS::SNS::Topic",
			"Properties": {
				"DisplayName": "cc-rds-notifications"
			}
		},
		"SNSSubscription": {
			"Type": "AWS::SNS::Subscription",
			"Properties": {
				"Protocol": "email",
				"TopicArn": {
					"Ref": "SNSTopic"
				},
				"Endpoint": "email@domain.com"
			}
		},
		"RDSDatabaseCluster": {
			"Type": "AWS::RDS::DBCluster",
			"Properties": {
				"Engine": "aurora",
				"DBSubnetGroupName": "default",
				"DBClusterIdentifier": "cc-rds-database-cluster",
				"DatabaseName": "cc-aurora-database",
				"MasterUsername": {
					"Ref": "MasterUsername"
				},
				"MasterUserPassword": {
					"Ref": "MasterPassword"
				}
			}
		},
		"ClusterInstance1": {
			"Type": "AWS::RDS::DBInstance",
			"Properties": {
				"Engine": "aurora",
				"DBClusterIdentifier": {
					"Ref": "RDSDatabaseCluster"
				},
				"DBInstanceClass": "db.m5d.large"
			}
		},
		"ClusterInstance2": {
			"Type": "AWS::RDS::DBInstance",
			"Properties": {
				"Engine": "aurora",
				"DBClusterIdentifier": {
					"Ref": "RDSDatabaseCluster"
				},
				"DBInstanceClass": "db.m5d.large"
			}
		},
		"RDSEventSubscription": {
			"Type": "AWS::RDS::EventSubscription",
			"Properties": {
				"Enabled": true,
				"EventCategories": [
					"creation",
					"failover",
					"global failover"
				],
				"SnsTopicArn": [
					{
						"Ref": "SNSTopic"
					}
				],
				"SourceIds": [
					"rds-db-cluster",
					{
						"Ref": "RDSDatabaseCluster"
					}
				],
				"SourceType": "db-cluster"
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Event Notifications for Amazon RDS Resources (DB Clusters)
	Parameters:
	MasterUsername:
		Type: String
	MasterPassword:
		Type: String
		NoEcho: 'true'
	Resources:
	SNSTopic:
		Type: AWS::SNS::Topic
		Properties:
		DisplayName: cc-rds-notifications
	SNSSubscription:
		Type: AWS::SNS::Subscription
		Properties:
		Protocol: email
		TopicArn: !Ref 'SNSTopic'
		Endpoint: email@domain.com
	RDSDatabaseCluster:
		Type: AWS::RDS::DBCluster
		Properties:
		Engine: aurora
		DBSubnetGroupName: default
		DBClusterIdentifier: cc-rds-database-cluster
		DatabaseName: cc-aurora-database
		MasterUsername: !Ref 'MasterUsername'
		MasterUserPassword: !Ref 'MasterPassword'
	ClusterInstance1:
		Type: AWS::RDS::DBInstance
		Properties:
		Engine: aurora
		DBClusterIdentifier: !Ref 'RDSDatabaseCluster'
		DBInstanceClass: db.m5d.large
	ClusterInstance2:
		Type: AWS::RDS::DBInstance
		Properties:
		Engine: aurora
		DBClusterIdentifier: !Ref 'RDSDatabaseCluster'
		DBInstanceClass: db.m5d.large
	RDSEventSubscription:
		Type: AWS::RDS::EventSubscription
		Properties:
		Enabled: true
		EventCategories:
			- creation
			- failover
			- global failover
		SnsTopicArn:
			- !Ref 'SNSTopic'
		SourceIds:
			- rds-db-cluster
			- !Ref 'RDSDatabaseCluster'
		SourceType: db-cluster

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_sns_topic" "sns-topic" {
	name = "cc-rds-notifications"
}

resource "aws_sns_topic_subscription" "sns-topic-subscription" {
	topic_arn = aws_sns_topic.sns-topic.arn
	protocol  = "email"
	endpoint  = "email@domain.com"
}

resource "aws_rds_cluster" "rds-cluster" {
	cluster_identifier = "cc-aurora-db-cluster"
	engine             = "aurora-mysql"
	engine_version     = "5.7.mysql_aurora.2.10.5"
	availability_zones = ["us-east-1a", "us-east-1b"]
	database_name      = "[db-name]"
	master_username    = "[db-user]"
	master_password    = "[db-password]"
}

resource "aws_rds_cluster_instance" "rds-cluster-nodes" {
	count              = 2
	identifier         = "cc-aurora-db-cluster-${count.index}"
	cluster_identifier = aws_rds_cluster.rds-cluster.id
	engine             = aws_rds_cluster.rds-cluster.engine
	engine_version     = aws_rds_cluster.rds-cluster.engine_version
	instance_class     = "db.m5d.large"
}

# Enable Event Notifications for Amazon RDS Resources (DB Clusters)
resource "aws_db_event_subscription" "rds-event-subscription" {
	name        = "cc-cluster-event-subscription"
	sns_topic   = aws_sns_topic.sns-topic.arn
	source_type = "db-cluster"
	source_ids  = [aws_rds_cluster.rds-cluster.id]
	event_categories = [
	"creation",
	"failover",
	"global failover"
	]
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Event subscriptions.

04 Choose Create event subscription to initiate the subscription setup process.

05 On the Create event subscription setup**page, perform the following actions:

  1. Provide a unique name for the event subscription in the Name box.
  2. In the Target section, perform one of the following commands:
    • Select New email topic for Send notifications to, to create and configure a new Amazon SNS topic. If you choose this option, you must provide a unique name for your new SNS topic in the Topic name box and specify the email address(es) to send the notifications to, in the With these recipients configuration box.
    • Select ARN for Send notifications to, to choose an existing Amazon SNS topic. Select the Amazon Resource Name (ARN) of the existing SNS topic from the ARN dropdown list.
  3. In the Source section, perform the following commands:
    • Select Instances from the Source Type dropdown list. This is the type of the RDS resource which this subscription will consume events from.
    • For Instances to include, choose Select specific instances, and select the source RDS database instance(s) that you want to receive event notifications for.
    • For Event categories to include, choose Select specific event categories, and select backup from the Specific event categories list to be notified whenever a backup-related event that affects the selected instance occurs.
  4. Choose Create to create your new Amazon RDS event subscription.

06 Repeat steps no. 4 and 5 to create event subscriptions for other Amazon RDS resources provisioned within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create a new Amazon SNS topic for sending notifications whenever a backup-related event occurs for the selected Amazon RDS database instance: 

aws sns create-topic
  --name cc-rds-backup-alarm-topic

02 The command output should return the Amazon Resource Name (ARN) of the newly created Amazon SNS topic: 

{
	"TopicArn": "arn:aws:sns:us-east-1:12345678901:cc-rds-backup-alarm-topic" 
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (i.e. the email address provided): 

aws sns subscribe
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-rds-backup-alarm-topic
  --protocol email
  --notification-endpoint notifyme@cloudconformity.com

04 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the email subscription by validating the token sent to the notification endpoint selected (the command does not produce an output): 

aws sns confirm-subscription
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-rds-backup-alarm-topic
  --token abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd

05 Once the required Amazon SNS topic is created and configured, execute create-event-subscription command (OSX/Linux/UNIX) to create an Amazon RDS event notification subscription. The following command request example creates an Amazon RDS event subscription named cc-database-backups, that sends notifications whenever a backup is completed for the cc-project5-mysql-database database instance, using an SNS topic identified by the ARN arn:aws:sns:us-east-1:12345678901:cc-rds-backup-alarm-topic: 

aws rds create-event-subscription
  --region us-east-1
  --subscription-name cc-database-backups
  --sns-topic-arn arn:aws:sns:us-east-1:12345678901:cc-rds-backup-alarm-topic
  --source-type db-instance
  --event-categories "backup"
  --source-ids cc-project5-mysql-database
  --enabled

06 The command output should return the metadata available for the newly created Amazon RDS event subscription: 

{
	"EventSubscription": {
		"Status": "creating",
		"SubscriptionCreationTime": "Tue Nov 07 13:58:40 UTC 2020",
		"SourceType": "db-instance",
		"EventCategoriesList": [
			"backup"
		],
		"EventSubscriptionArn": "arn:aws:rds:us-east-1:12345678901:es:cc-database-backups",
		"SourceIdsList": [
			"cc-project5-mysql-database"
		],
		"CustSubscriptionId": "cc-database-backups",
		"Enabled": true,
		"SnsTopicArn": "arn:aws:sns:us-east-1:12345678901:cc-rds-backup-alarm-topic",
		"CustomerAwsId": "123456789012"
	}
}

07 Repeat steps no. 1 – 6 to create event subscriptions for other Amazon RDS resources provisioned within the current AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Nov 8, 2017

Related RDS rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

RDS Event Notifications

Risk Level: High