Logo of Trend Micro

RDS Event Notifications

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: RDS-029

Ensure that your AWS RDS resources have event notifications enabled in order to be notified when an event occurs for a given database instance, database snapshot, database security group or database parameter group. The RDS service groups these events into categories that you can subscribe to so that you can be notified via AWS SNS when an event in that category occurs. For example, if you subscribe to the Backup category for a given RDS database instance, you will be notified whenever a backup-related event occurs for the specified database instance.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Reliability
Performance
efficiency
Operational
excellence

Monitoring is an essential part of maintaining the availability, reliability and performance of your AWS RDS resources. Enabling RDS event notifications will keep you up-to-date on everything that's going on within your Amazon RDS environment.

Audit

To determine if your RDS database resources (instances, snapshots, security groups, etc) have event notifications enabled, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under RDS Dashboard, click Event Subscriptions.

04 Check for any subscriptions currently available on the RDS Event Subscriptions page. If there are no event subscriptions listed on this page, and instead a "No event subscriptions found." message is displayed, the event notifications are not enabled for the Amazon RDS resources provisioned in the current region.

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-event-subscriptions command (OSX/Linux/UNIX) to describe existing event subscriptions created for the AWS RDS resources provisioned within the selected region: 

aws rds describe-event-subscriptions
	--region us-east-1

02 The command output should return metadata about each AWS RDS event subscription available: 

{
    "EventSubscriptionsList": []
}
If the EventSubscriptionsList attribute value returned by the command output is an empty array (i.e. []), as shown in the output example above, there are no event notifications created for the Amazon RDS resources (instances, snapshots, security and parameter groups), provisioned in the current AWS region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To subscribe to Amazon RDS event notifications so you can be notified when an event occurs for a given RDS resource, perform the following actions:

Note: As example, this conformity rule demonstrates how to subscribe to the RDS Backup category for a given database instance in order to be notified whenever a backup-related event that affects the specified instance occurs.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under RDS Dashboard, click Event Subscriptions.

04 Click Create Event Subscription button from the dashboard top menu to initiate the subscription setup process.

05 On the Create Event Subscription page, perform the following:

  1. Provide a unique name for the event notification subscription in the Name box.
  2. Select an existing AWS SNS topic from the Send notifications to dropdown list or click Create topic to build and configure a new SNS topic. If you choose to create a new topic you must provide a name for the new SNS topic in the Topic name box, select a recipient type (e.g. email) from the Recipient type dropdown list and enter the email addresses or phone numbers of SMS enabled devices to send the notifications to, in the With these recipients box.
  3. Select Instances as source type (i.e. RDS resource type) from the Source Type dropdown list.
  4. From the Event Categories section, choose Select specific, then select backup as event category.
  5. From the Instances section, choose Select specific, then select the RDS database instance that you want to receive event notifications for.
  6. Click Create to confirm the action and to create the new subscription.

06 Repeat step no. 4 and 5 to create event subscriptions for other AWS RDS resources, available in the current region.

07 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create a new SNS topic for sending notifications whenever a backup-related event for an RDS database instance occurs: 

aws sns create-topic
	--name RDSBackupAlarmSNSTopic

02 The command output should return the Amazon Resource Name (ARN) for the newly created Amazon SNS topic: 

{
 "TopicArn": "arn:aws:sns:us-east-1:12345678901:RDSBackupAlarmSNSTopic"
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (i.e. the email address provided): 

aws sns subscribe
	--topic-arn arn:aws:sns:us-east-1:123456789012:RDSBackupAlarmSNSTopic
	--protocol email
	--notification-endpoint no-reply@cloudconformity.com

04 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the email subscription by validating the token sent to the notification endpoint selected (the command does not produce an output): 

aws sns confirm-subscription
	--topic-arn arn:aws:sns:us-east-1:123456789012:RDSBackupAlarmSNSTopic
	--token c551e84f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bc858d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da61e6d386

05 Now that the necessary AWS SNS topic is created and configured, execute create-event-subscription command (OSX/Linux/UNIX) to create an Amazon RDS event notification subscription. The following example creates an AWS RDS event subscription named "cc-db-backups", that sends notifications whenever a backup is completed for the "cc-production-db" database instance, using an AWS SNS topic identified by the ARN "arn:aws:sns:us-east-1:12345678901:RDSBackupAlarmSNSTopic": 

aws rds create-event-subscription
	--region us-east-1
	--subscription-name cc-db-backups
	--sns-topic-arn arn:aws:sns:us-east-1:12345678901:RDSBackupAlarmSNSTopic
	--source-type db-instance
	--event-categories "backup"
	--source-ids cc-production-db
	--enabled

06 The command output should return the metadata for the newly created RDS event subscription: 

{
    "EventSubscription": {
        "Status": "creating",
        "SubscriptionCreationTime": "Tue Nov 07 13:58:40 UTC 2017",
        "SourceType": "db-instance",
        "EventCategoriesList": [
            "backup"
        ],
        "EventSubscriptionArn": "arn:aws:rds:us-east-1:12345678901:es:cc-db-backups",
        "SourceIdsList": [
            "cc-production-db"
        ],
        "CustSubscriptionId": "cc-db-backups",
        "Enabled": true,
        "SnsTopicArn": "arn:aws:sns:us-east-1:12345678901:RDSBackupAlarmSNSTopic",
        "CustomerAwsId": "12345678901"
    }
}

07 Repeat steps no. 1 – 6 to create event subscriptions for other Amazon RDS resources, available in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the entire process for other regions.

References

Publication date Nov 8, 2017

Related RDS rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

RDS Event Notifications

Risk level: Low