- Knowledge Base
- Amazon Web Services
- Amazon Relational Database Service
- Instance Level Events Subscriptions
Ensure that Amazon RDS event notification subscriptions are enabled for database instance level events. Amazon RDS groups these events into categories that you can subscribe to so that you can be notified when an event in that category occurs. You can subscribe to an event category for a database instance, database snapshot, database parameter group, etc. For example, if you subscribe to the "Backup" category for a given database instance, you will be notified whenever a backup-related event occurs that affects the RDS database instance.
This rule can help you with the following compliance standards:
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Reliability 
Performanceefficiency
Operationalexcellence
Amazon RDS event subscriptions for instance level events are designed to provide incident notification of event changes triggered at the database engine level such as failure, failover, low storage, maintenance, recovery, or deletion.
Audit
To determine if there are Amazon RDS event subscriptions enabled for instance level events within your AWS account, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.
03 In the navigation panel, choose Event subscriptions, and check for any subscriptions with the Source type set to Instances in the Event subscriptions section. If there are no such subscriptions listed in the Event subscriptions section, there are no Amazon RDS event subscriptions created for instance level events, available in the selected AWS region.
04 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-event-subscriptions command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon RDS event subscriptions created for your database instances in the selected AWS cloud region:
aws rds describe-event-subscriptions --region us-east-1 --query "EventSubscriptionsList[?SourceType == 'db-instance'].CustSubscriptionId"
02 The command output should return the name(s) of the requested RDS event subscription(s):
[]
If the describe-event-subscriptions command output returns an empty array, i.e. [], as shown in the output example above, there are no Amazon RDS event subscriptions created for instance level events available in the selected AWS region.
03 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To enable event subscriptions for database instance level events, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Enable Event Subscriptions for Instance Level Events",
"Parameters": {
"DBInstanceName": {
"Default": "mysql-database-instance",
"Description": "RDS database instance name",
"Type": "String",
"MinLength": "1",
"MaxLength": "63",
"AllowedPattern": "^[0-9a-zA-Z-/]*$",
"ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens."
},
"DBInstanceClass": {
"Default": "db.t3.medium",
"Description": "DB instance class/type",
"Type": "String",
"ConstraintDescription": "Must provide a valid DB instance type."
},
"DBAllocatedStorage": {
"Default": "20",
"Description": "The size of the database (GiB)",
"Type": "Number",
"MinValue": "20",
"MaxValue": "65536",
"ConstraintDescription": "Must be between 20 and 65536 GiB."
},
"DBName": {
"Default": "mysqldb",
"Description": "Database name",
"Type": "String",
"MinLength": "1",
"MaxLength": "64",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
},
"DBUsername": {
"Description": "Master username for database access",
"Type": "String",
"MinLength": "1",
"MaxLength": "16",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
},
"DBPassword": {
"NoEcho": "true",
"Description": "Password for database access",
"Type": "String",
"MinLength": "8",
"MaxLength": "41",
"AllowedPattern": "[a-zA-Z0-9]*",
"ConstraintDescription": "Must contain only alphanumeric characters."
}
},
"Resources": {
"SNSTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"DisplayName": "cc-rds-notifications"
}
},
"SNSSubscription": {
"Type": "AWS::SNS::Subscription",
"Properties": {
"Protocol": "email",
"TopicArn": {
"Ref": "SNSTopic"
},
"Endpoint": "email@domain.com"
}
},
"RDSInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceIdentifier": {
"Ref": "DBInstanceName"
},
"DBName": {
"Ref": "DBName"
},
"MasterUsername": {
"Ref": "DBUsername"
},
"MasterUserPassword": {
"Ref": "DBPassword"
},
"DBInstanceClass": {
"Ref": "DBInstanceClass"
},
"AllocatedStorage": {
"Ref": "DBAllocatedStorage"
},
"Engine": "MySQL",
"EngineVersion": "5.7.36"
}
},
"RDSEventSubscription": {
"Type": "AWS::RDS::EventSubscription",
"Properties": {
"Enabled": true,
"EventCategories": [
"creation",
"configuration change",
"low storage",
"failure",
"failover",
"deletion",
"recovery",
"restoration"
],
"SnsTopicArn": [
{
"Ref": "SNSTopic"
}
],
"SourceIds": [
"rds-db-instance",
{
"Ref": "RDSInstance"
}
],
"SourceType": "db-instance"
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Description: Enable Event Subscriptions for Instance Level Events Parameters: DBInstanceName: Default: mysql-database-instance Description: RDS database instance name Type: String MinLength: '1' MaxLength: '63' AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens. DBInstanceClass: Default: db.t3.medium Description: DB instance class/type Type: String ConstraintDescription: Must provide a valid DB instance type. DBAllocatedStorage: Default: '20' Description: The size of the database (GiB) Type: Number MinValue: '20' MaxValue: '65536' ConstraintDescription: Must be between 20 and 65536 GiB. DBName: Default: mysqldb Description: Database name Type: String MinLength: '1' MaxLength: '64' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: Must begin with a letter and contain only alphanumeric characters. DBUsername: Description: Master username for database access Type: String MinLength: '1' MaxLength: '16' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: Must begin with a letter and contain only alphanumeric characters. DBPassword: NoEcho: 'true' Description: Password for database access Type: String MinLength: '8' MaxLength: '41' AllowedPattern: '[a-zA-Z0-9]*' ConstraintDescription: Must contain only alphanumeric characters. Resources: SNSTopic: Type: AWS::SNS::Topic Properties: DisplayName: cc-rds-notifications SNSSubscription: Type: AWS::SNS::Subscription Properties: Protocol: email TopicArn: !Ref 'SNSTopic' Endpoint: email@domain.com RDSInstance: Type: AWS::RDS::DBInstance Properties: DBInstanceIdentifier: !Ref 'DBInstanceName' DBName: !Ref 'DBName' MasterUsername: !Ref 'DBUsername' MasterUserPassword: !Ref 'DBPassword' DBInstanceClass: !Ref 'DBInstanceClass' AllocatedStorage: !Ref 'DBAllocatedStorage' Engine: MySQL EngineVersion: 5.7.36 RDSEventSubscription: Type: AWS::RDS::EventSubscription Properties: Enabled: true EventCategories: - creation - configuration change - low storage - failure - failover - deletion - recovery - restoration SnsTopicArn: - !Ref 'SNSTopic' SourceIds: - rds-db-instance - !Ref 'RDSInstance' SourceType: db-instance
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
profile = "default"
region = "us-east-1"
}
resource "aws_sns_topic" "sns-topic" {
name = "cc-rds-notifications"
}
resource "aws_sns_topic_subscription" "sns-topic-subscription" {
topic_arn = aws_sns_topic.sns-topic.arn
protocol = "email"
endpoint = "email@domain.com"
}
resource "aws_db_instance" "rds-database-instance" {
allocated_storage = 50
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t3.medium"
name = "[database-name]"
username = "[master-username]"
password = "[master-password]"
parameter_group_name = "default.mysql5.7"
}
# Enable Event Subscriptions for Instance Level Events
resource "aws_db_event_subscription" "rds-event-subscription" {
name = "cc-rds-db-event-subscription"
sns_topic = aws_sns_topic.sns-topic.arn
source_type = "db-instance"
source_ids = [aws_db_instance.rds-database-instance.id]
event_categories = [
"creation",
"configuration change",
"failover",
"failure",
"low storage",
"deletion",
"recovery",
"restoration"
]
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.
03 In the navigation panel, under Amazon RDS, choose Event subscriptions.
04 Choose Create event subscription to initiate the subscription setup process.
05 On the Create event subscription setup page, perform the following actions:
- Provide a unique name for the event subscription in the Name box.
- In the Target section, perform one of the following commands:
- Select New email topic for Send notifications to, to create and configure a new Amazon SNS topic. If you choose this option, you must provide a unique name for your new SNS topic in the Topic name box and specify the email address(es) to send the notifications to, in the With these recipients configuration box.
- Select ARN for Send notifications to, to choose an existing Amazon SNS topic. Select the Amazon Resource Name (ARN) of the existing SNS topic from the ARN dropdown list.
- In the Source section, perform the following commands:
- Select Instances from the Source Type dropdown list. This is the type of the RDS resource which this subscription will consume events from.
- For Instances to include, choose All instances to include all your database instances in the event subscription.
- For Event categories to include, choose All event categories to include all supported events.
- Choose Create to create your new Amazon RDS event subscription.
06 Repeat steps no. 4 and 5 to create event subscriptions for other Amazon RDS instances provisioned within the current AWS region.
07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Run create-topic command (OSX/Linux/UNIX) to create a new Amazon SNS topic for sending notifications whenever an instance level event occurs for the selected Amazon RDS database instance:
aws sns create-topic --name cc-rds-instance-alarm-topic
02 The command output should return the Amazon Resource Name (ARN) of the newly created Amazon SNS topic:
{
"TopicArn": "arn:aws:sns:us-east-1:12345678901:cc-rds-instance-alarm-topic"
}
03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (i.e. the email address provided):
aws sns subscribe --topic-arn arn:aws:sns:us-east-1:123456789012:cc-rds-instance-alarm-topic --protocol email --notification-endpoint alerts@cloudconformity.com
04 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the email subscription by validating the token sent to the notification endpoint selected (the command does not produce an output):
aws sns confirm-subscription --topic-arn arn:aws:sns:us-east-1:123456789012:cc-rds-instance-alarm-topic --token abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
05 Once the required Amazon SNS topic is created and configured, execute create-event-subscription command (OSX/Linux/UNIX) to create an Amazon RDS event notification subscription for all the supported database instance level events:
aws rds create-event-subscription --region us-east-1 --subscription-name cc-db-instance-event-subscription --sns-topic-arn arn:aws:sns:us-east-1:12345678901:cc-rds-instance-alarm-topic --source-type db-instance --event-categories "availability" "backup" "configuration change" "creation" "deletion" "failover" "failure" "low storage" "maintenance" "notification" "read replica" "recovery" "restoration" --enabled
06 The command output should return the metadata available for the newly created event subscription:
{
"EventSubscription": {
"Status": "creating",
"SubscriptionCreationTime": "Wed Apr 19 11:14:00 UTC 2018",
"SourceType": "db-instance",
"EventCategoriesList": [
"availability",
"backup",
"configuration change",
"creation",
"deletion",
"failover",
"failure",
"low storage",
"maintenance",
"notification",
"read replica",
"recovery",
"restoration"
],
"EventSubscriptionArn": "arn:aws:rds:us-east-1:123456789012:es:cc-db-instance-event-subscription",
"CustSubscriptionId": "cc-db-instance-event-subscription",
"Enabled": true,
"SnsTopicArn": "arn:aws:sns:us-east-1:12345678901:cc-rds-instance-alarm-topic",
"CustomerAwsId": "123456789012"
}
}
07 Repeat steps no. 1 – 6 to create event subscriptions for other Amazon RDS instances available in the selected AWS region.
08 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- Amazon RDS FAQs
- Using Amazon RDS Event Notification
- Create a Topic
- Subscribe to a Topic
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- rds
- describe-event-subscriptions
- create-event-subscription
- sns
- create-topic
- subscribe
- confirm-subscription
Related RDS rules
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Instance Level Events Subscriptions
Risk Level: High