🛡️ AWS RDS Instance Event Subscription for critical events is not configured🟢

• Contextual name: 🛡️ Instance Event Subscription for critical events is not configured🟢
• ID: /ce/ca/aws/rds/instance-event-subscription
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS Account
  • 🔌 AWS RDS Event Subscription - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: RDS Event Notifications

Description

Open File

Description

This policy evaluates whether there is an AWS RDS Event Subscription that is configured to send notifications for the following source type and event categories:

• Source type: db-instance
• Event categories: maintenance, configuration change, failure

Amazon RDS event notifications use Amazon SNS to notify you of changes to the availability or configuration of RDS database instances, enabling timely operational response.

Rationale

Event monitoring is a critical component of maintaining the availability, reliability, and performance of Amazon RDS database instances. Subscribing to maintenance, configuration change, and failure events ensures that operational teams are promptly informed of changes that may impact database stability or service continuity.

Audit

This policy flags an AWS Account as INCOMPLIANT if no Amazon RDS Event Subscriptions are configured to notify on maintenance, configuration change, and failure events for the db-instance source type.

References

1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Monitoring.html

... see more

Remediation

Open File

Remediation

Create an RDS Event Subscription

Configure Amazon RDS event subscriptions to receive notifications for maintenance, configuration change, and failure events for DB instances.

From Console

1. Sign in to the AWS Management Console.

2. Navigate to the Amazon RDS console.

3. In the navigation pane, under Amazon RDS, select Event subscriptions.

4. Choose Create event subscription.

5. On the Create event subscription page, configure the following settings:

   • Enter a unique name in the Name field.

   Target Section

   • For Send notifications to, choose one of the following:

     • Create a new Amazon SNS topic. Provide a unique Topic name and specify the email address(es) to receive notifications.
     • Select an existing Amazon SNS topic by choosing its ARN from the list.

   Source Section

   • Set Source type to Database Instance.
   • For Database Instances to include, select All database instances.
   • For Event categories to include, select Select specific event categories and choose maintenance, configuration change, and failure.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events			1		no data
💼 Cloudaware Framework → 💼 Alerting and Notification			42		no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		28		no data
💼 FedRAMP High Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)	2	7	24		no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		28		no data
💼 FedRAMP Low Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)			24		no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		28		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)	2		24		no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			51		no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			66		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			185		no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			28		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			105		no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			51		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			182		no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			47		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			62		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			62		no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			47		no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			50		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		28		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2 Flaw Remediation	6	6	21		no data
💼 PCI DSS v3.2.1 → 💼 11.5 Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files.	1		5		no data
💼 PCI DSS v4.0.1 → 💼 11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed.			4		no data
💼 PCI DSS v4.0 → 💼 11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed.			4		no data