Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Security Groups Events Subscriptions

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: RDS-028

Ensure that Amazon RDS event notification subscriptions are enabled for database security groups events. Amazon RDS groups these events into categories that you can subscribe to. For example, if you subscribe to the "Configuration Change" category for database security groups, you will be notified when the RDS security groups configuration is changed.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability
Performance
efficiency
Operational
excellence

Amazon RDS event subscriptions for database security groups are designed to provide incident notification of events that may affect the security, availability, and reliability of the RDS database instances associated with these security groups.


Audit

To determine if there are Amazon RDS event subscriptions created for database security groups within your AWS cloud account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, choose Event subscriptions, and check for any subscriptions with the Source type set to Security groups in the Event subscriptions section. If there are no such subscriptions listed in the Event subscriptions section, there are no Amazon RDS event subscriptions created for database security groups, available in the selected AWS region.

04 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-event-subscriptions command (OSX/Linux/UNIX) with custom query filters to list the identifiers of all the Amazon RDS event subscriptions created for database security groups available in the selected AWS region:

aws rds describe-event-subscriptions
  --region us-east-1
  --query "EventSubscriptionsList[?SourceType == 'db-security-group'].CustSubscriptionId"

02 The command output should return the identifier(s) of the requested RDS event subscription(s):

[]

If the describe-event-subscriptions command output returns an empty array, i.e. [], as shown in the output example above, there are no Amazon RDS event subscriptions created for database security groups available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To subscribe to Amazon RDS event notifications for database security groups, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Event Subscriptions for Database Security Group Events",
	"Resources": {
		"SNSTopic": {
			"Type": "AWS::SNS::Topic",
			"Properties": {
				"DisplayName": "cc-rds-notifications"
			}
		},
		"SNSSubscription": {
			"Type": "AWS::SNS::Subscription",
			"Properties": {
				"Protocol": "email",
				"TopicArn": {
					"Ref": "SNSTopic"
				},
				"Endpoint": "email@domain.com"
			}
		},
		"DBSecurityGroupName": {
			"Type": "AWS::RDS::DBSecurityGroup",
			"Properties": {
				"GroupDescription": "Amazon RDS DB Security Group",
				"DBSecurityGroupIngress": [
					{
						"EC2SecurityGroupId": "sg-0abcd1234abcd1234",
						"EC2SecurityGroupOwnerId": "123456789012"
					}
				]
			}
		},
		"RDSEventSubscription": {
			"Type": "AWS::RDS::EventSubscription",
			"Properties": {
				"Enabled": true,
				"EventCategories": [
					"failure",
					"configuration change"
				],
				"SnsTopicArn": [
					{
						"Ref": "SNSTopic"
					}
				],
				"SourceIds": [
					"rds-db-security-group",
					{
						"Ref": "DBSecurityGroupName"
					}
				],
				"SourceType": "db-security-group"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Event Subscriptions for Database Security Group Events
	Resources:
	SNSTopic:
		Type: AWS::SNS::Topic
		Properties:
		DisplayName: cc-rds-notifications
	SNSSubscription:
		Type: AWS::SNS::Subscription
		Properties:
		Protocol: email
		TopicArn: !Ref 'SNSTopic'
		Endpoint: email@domain.com
	DBSecurityGroupName:
		Type: AWS::RDS::DBSecurityGroup
		Properties:
		GroupDescription: Amazon RDS DB Security Group
		DBSecurityGroupIngress:
			- EC2SecurityGroupId: sg-0abcd1234abcd1234
			EC2SecurityGroupOwnerId: '123456789012'
	RDSEventSubscription:
		Type: AWS::RDS::EventSubscription
		Properties:
		Enabled: true
		EventCategories:
			- failure
			- configuration change
		SnsTopicArn:
			- !Ref 'SNSTopic'
		SourceIds:
			- rds-db-security-group
			- !Ref 'DBSecurityGroupName'
		SourceType: db-security-group

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_sns_topic" "sns-topic" {
	name = "cc-rds-notifications"
}

resource "aws_sns_topic_subscription" "sns-topic-subscription" {
	topic_arn = aws_sns_topic.sns-topic.arn
	protocol  = "email"
	endpoint  = "email@domain.com"
}


resource "aws_db_security_group" "db-security-group" {
	name = "cc-db-security-group"
	ingress {
	cidr = "10.0.0.0/24"
	}
}

# Enable Event Subscriptions for Database Security Group Events
resource "aws_db_event_subscription" "rds-event-subscription" {
	name        = "cc-sg-event-subscription"
	sns_topic   = aws_sns_topic.sns-topic.arn
	source_ids  = [aws_db_security_group.db-security-group.id]
	source_type = "db-security-group"
	event_categories = [
	"failure",
	"configuration change"
	]
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Event subscriptions.

04 Choose Create event subscription to initiate the subscription setup process.

05 On the Create event subscription setup page, perform the following actions:

  1. Provide a unique name for the event subscription in the Name box.
  2. In the Target section, perform one of the following commands:
    • Select New email topic for Send notifications to, to create and configure a new Amazon SNS topic. If you choose this option, you must provide a unique name for your new SNS topic in the Topic name box and specify the email address(es) to send the notifications to, in the With these recipients configuration box.
    • Select ARN for Send notifications to, to choose an existing Amazon SNS topic. Select the Amazon Resource Name (ARN) of the existing SNS topic from the ARN dropdown list.
  3. In the Source section, perform the following commands:
    • Select Security groups from the Source Type dropdown list. This is the type of the RDS resource which this subscription will consume events from.
    • For Security groups to include, choose All security groups to include all your database security groups in the event subscription.
    • For Event categories to include, choose All event categories to include all supported events.
  4. Choose Create to create your new Amazon RDS event subscription.

06 Repeat steps no. 4 and 5 to create event subscriptions for other database security groups available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create a new Amazon SNS topic for sending notifications whenever a database security group event occurs for the selected Amazon RDS database instance:

aws sns create-topic
  --name cc-security-group-alarm-topic

02 The command output should return the Amazon Resource Name (ARN) of the newly created Amazon SNS topic:

{
	"TopicArn": "arn:aws:sns:us-east-1:12345678901:cc-security-group-alarm-topic" 
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (i.e. the email address provided):

aws sns subscribe
  --topic-arn arn:aws:sns:us-east-1:12345678901:cc-security-group-alarm-topic
  --protocol email
  --notification-endpoint alerts@cloudconformity.com

04 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the email subscription by validating the token sent to the notification endpoint selected (the command does not produce an output):

aws sns confirm-subscription
  --topic-arn arn:aws:sns:us-east-1:12345678901:cc-security-group-alarm-topic
  --token abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd

05 Once the required Amazon SNS topic is created and configured, execute create-event-subscription command (OSX/Linux/UNIX) to create an Amazon RDS event notification subscription for all the supported database security group events:

aws rds create-event-subscription
  --region us-east-1
  --subscription-name cc-security-group-event-subscription
  --sns-topic-arn arn:aws:sns:us-east-1:12345678901:cc-security-group-alarm-topic
  --source-type db-security-group
  --event-categories "failure" "configuration change"
  --enabled

06 The command output should return the metadata available for the newly created event subscription:

{
	"EventSubscription": {
		"Status": "creating",
		"SubscriptionCreationTime": "Wed Apr 18 19:15:00 UTC 2018",
		"SourceType": "db-security-group",
		"EventCategoriesList": [
			"failure",
			"configuration change"
		],
		"EventSubscriptionArn": "arn:aws:rds:us-east-1:123456789012:es:cc-security-group-event-subscription",
		"CustSubscriptionId": "cc-security-group-event-subscription",
		"Enabled": true,
		"SnsTopicArn": "arn:aws:sns:us-east-1:12345678901:cc-security-group-alarm-topic",
		"CustomerAwsId": "123456789012"
	}
}

07 Repeat steps no. 1 – 6 to create event subscriptions for other database security groups available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 19, 2018