🛡️ AWS RDS Instance Enhanced Monitoring is not enabled🟢

• Contextual name: 🛡️ Instance Enhanced Monitoring is not enabled🟢
• ID: /ce/ca/aws/rds/instance-enhanced-monitoring
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: PERFORMANCE

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS RDS Instance
  • 🔌 AWS RDS Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [RDS.6] Enhanced monitoring should be configured for RDS DB instances

Description

Open File

Description

This policy identifies AWS RDS Instances for which Enhanced Monitoring is not enabled.

Amazon RDS provides real-time OS metrics for the DB instances it runs. These metrics allow you to view system-level performance data and process information directly in the AWS Management Console. You can control which metrics are collected for each instance and customize monitoring dashboards based on your operational requirements.

Rationale

Enhanced Monitoring offers deeper visibility into database instance health by collecting metrics from an agent running on the instance, rather than relying solely on hypervisor-level data. It delivers OS-level metrics, such as CPU utilization, memory usage, file system activity, and disk I/O, at granular intervals as low as one second.

In contrast, standard Amazon CloudWatch metrics are aggregated at 60-second intervals. Enhanced Monitoring enables detection of short-lived performance spikes or resource-intensive processes that may be obscured by one-minute averages.

Audit

... see more

Remediation

Open File

Remediation

Enable Enhanced Monitoring

Enhanced Monitoring requires an IAM role that allows Amazon RDS to publish OS-level metrics to Amazon CloudWatch Logs. If you already have a dedicated role, you can proceed to the Enable Enhanced Monitoring on the DB Instance step.

From Command Line

1. Create the IAM Role for Enhanced Monitoring

Create a trust policy that allows Amazon RDS to assume the role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Effect": "Allow",
        "Principal": {
            "Service": "monitoring.rds.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
        }
    ]
}

Create the IAM role:

aws iam create-role \
    --role-name {{rds-monitoring-role}} \
    --assume-role-policy-document file://{{monitoring-trust-policy}}.json

Attach the AWS-managed policy required for Enhanced Monitoring:

aws iam attach-role-policy \
    --role-name {{rds-monitoring-role}} \
    --policy-arn arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.6] Enhanced monitoring should be configured for RDS DB instances			1		no data
💼 Cloudaware Framework → 💼 Performance Tuning			5		no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		27		no data
💼 FedRAMP High Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)	2	7	23		no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		27		no data
💼 FedRAMP Low Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)			23		no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		27		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)	2		23		no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			50		no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			65		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			178		no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			27		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			100		no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			50		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			179		no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			45		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			59		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			60		no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			46		no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			49		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		27		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2 Flaw Remediation	6	6	20		no data