Logo of Trend Micro

Instance Level Events Subscriptions

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: RDS-027

Ensure that Amazon RDS event notification subscriptions are enabled for database instance level events. Amazon RDS groups these events into categories that you can subscribe to so that you can be notified when an event in that category occurs. You can subscribe to an event category for a database instance, database snapshot, database parameter group, etc. For example, if you subscribe to the "Backup" category for a given database instance, you will be notified whenever a backup-related event occurs that affects the RDS database instance.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Reliability
Performance
efficiency
Operational
excellence

Amazon RDS event subscriptions for instance level events are designed to provide incident notification of event changes triggered at the database engine level such as failure, failover, low storage, maintenance, recovery or deletion.

Audit

To determine if there are any RDS event subscriptions enabled for instance level events, available in your AWS account, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Event subscriptions.

04 In the Event subscriptions list, search for any RDS event notification subscriptions with the Source type set to Instances. If there are no such subscriptions listed, there are no RDS event subscriptions created for instance level events, available in the selected AWS region.

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-event-subscriptions command (OSX/Linux/UNIX) using custom query filters to list the identifiers (names) of all RDS event subscriptions created for database instances in the selected AWS region: 

aws rds describe-event-subscriptions
	--region us-east-1
	--query "EventSubscriptionsList[?SourceType == 'db-instance'].CustSubscriptionId"

02 The command output should return the names of the requested RDS event subscriptions: 

[]

If the describe-event-subscriptions command output returns an empty array, i.e. [], as shown in the example above, there are no Amazon RDS event subscriptions created for instance level events, available in the selected AWS region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To enable subscriptions to the Amazon RDS event notifications for instance level events, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the navigation panel, select Topics and click the Create new topic button.

04 In the Create new topic dialog box, enter a name and a display name for your new SNS topic then click Create Topic.

05 Open the newly created SNS topic configuration page by clicking on its ARN link.

06 Under Subscription section click Create Subscription.

07 Select Email as subscription protocol from the Protocol dropdown list.

08 In the Endpoint box, enter the email address where you want to receive the event notifications, then click Create Subscription to create the required subscription.

09 Use your favorite email client application to open the message received from AWS Notifications service, then click on the appropriate link to confirm your new email subscription.

10 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

11 In the left navigation panel, under Amazon RDS, click Event subscriptions.

12 On the Event subscriptions page, click Create event subscription to start the event subscription setup wizard.

13 On the Create event subscription page, perform the following actions:

  1. Type a name for the event notification subscription in the Name box.
  2. For Send notifications to, choose ARN option, then select the Amazon Resource Name (ARN) of the AWS SNS topic created at the previous steps.
  3. Select Instances from the Source type dropdown list then select All instances from Instances to include and All event categories from Event categories to include.
  4. Click Create to create your new RDS event notification subscription. The AWS console should now indicate that the event subscription is being created.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create a new SNS topic for sending database event notifications: 

aws sns create-topic
	--name cc-rds-db-events

02 The command output should return the ARN for the newly created AWS SNS topic: 

{
   "TopicArn": "arn:aws:sns:us-east-1:12345678901:cc-rds-db-events"
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (the email address provided as endpoint): 

aws sns subscribe
	--topic-arn arn:aws:sns:us-east-1:123456789012:cc-rds-db-events
	--protocol email
	--notification-endpoint notifyme@cloudconformity.com

04 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the email subscription by validating the token sent to the notification endpoint selected (the command does not return an output): 

aws sns confirm-subscription
	--topic-arn arn:aws:sns:us-east-1:123456789012:cc-rds-db-events
	--token c9bde15f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727cesb2474bb937929d3bdd7ce5d0cce19325d036bc498d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da71efb7d3301

05 Run create-event-subscription command (OSX/Linux/UNIX) to create the necessary event notification subscription for all RDS database instance level events: 

aws rds create-event-subscription
	--region us-east-1
	--subscription-name cc-db-instance-event-subscription
	--sns-topic-arn arn:aws:sns:us-east-1:123456789012:cc-rds-db-events
	--source-type db-instance
	--event-categories "availability" "backup" "configuration change" "creation" "deletion" "failover" "failure" "low storage" "maintenance" "notification" "read replica" "recovery" "restoration"
	--enabled

06 The command output should return the new RDS event subscription metadata: 

{
    "EventSubscription": {
        "Status": "creating",
        "SubscriptionCreationTime": "Wed Apr 19 11:14:00 UTC 2018",
        "SourceType": "db-instance",
        "EventCategoriesList": [
            "availability",
            "backup",
            "configuration change",
            "creation",
            "deletion",
            "failover",
            "failure",
            "low storage",
            "maintenance",
            "notification",
            "read replica",
            "recovery",
            "restoration"
        ],
        "EventSubscriptionArn": "arn:aws:rds:us-east-1:123456789012:es:cc-db-instance-event-subscription",
        "CustSubscriptionId": "cc-db-instance-event-subscription",
        "Enabled": true,
        "SnsTopicArn": "arn:aws:sns:us-east-1:123456789012:cc-db-instance-event-subscription",
        "CustomerAwsId": "123456789012"
    }
}

References

Publication date Apr 19, 2018

Related RDS rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Instance Level Events Subscriptions

Risk level: Low