🛡️ AWS RDS Parameter Group Event Subscription for critical events is not configured🟢

• Contextual name: 🛡️ Parameter Group Event Subscription for critical events is not configured🟢
• ID: /ce/ca/aws/rds/parameter-group-event-subscription
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS Account
  • 🔌 AWS RDS Event Subscription - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: RDS Event Notifications

Description

Open File

Description

This control evaluates whether Amazon RDS event subscriptions are configured to send notifications for the following source type and event category:

• Source type: db-parameter-group
• Event category: configuration change

Amazon RDS event notifications use Amazon SNS to inform you of changes to the configuration or availability of RDS parameter groups, enabling timely operational awareness.

Rationale

RDS parameter groups define the behavior and performance of your database instances. Changes to parameters—such as buffer sizes, timeout settings, or SSL enforcement—can significantly impact database stability, performance, and security. Subscribing to event notifications ensures that operations and security teams are immediately aware of modifications, allowing verification or rapid remediation of unintended changes.

Audit

This policy flags an AWS Account as INCOMPLIANT if no Amazon RDS Event Subscriptions are configured to notify on configuration change events for the db-parameter-group source type.

... see more

Remediation

Open File

Remediation

Create an RDS Event Subscription

Configure Amazon RDS event subscriptions to receive notifications for configuration change events for DB parameter groups.

From Console

1. Sign in to the AWS Management Console.

2. Navigate to the Amazon RDS console.

3. In the navigation pane, under Amazon RDS, select Event subscriptions.

4. Choose Create event subscription.

5. On the Create event subscription page, configure the following settings:

   • Enter a unique name in the Name field.

   Target Section

   • For Send notifications to, choose one of the following:

     • Create a new Amazon SNS topic. Provide a unique Topic name and specify the email address(es) to receive notifications.
     • Select an existing Amazon SNS topic by choosing its ARN from the list.

   Source Section

   • Set Source type to Database Parameter Group.
   • For Database Parameter Groups to include, select All Database Parameter Groups.
   • For Event categories to include, select Select specific event categories and choose configuration change.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events			1		no data
💼 Cloudaware Framework → 💼 System Configuration			54		no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		22		no data
💼 FedRAMP High Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)	2	7	19		no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		22		no data
💼 FedRAMP Low Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)			19		no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		22		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)	2		19		no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			44		no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			59		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			161		no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			22		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			94		no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			44		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			162		no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			36		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			50		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			51		no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			40		no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			39		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		22		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2 Flaw Remediation	6	6	16		no data
💼 PCI DSS v3.2.1 → 💼 11.5 Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files.	1		5		no data
💼 PCI DSS v4.0.1 → 💼 11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed.			4		no data
💼 PCI DSS v4.0 → 💼 11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed.			4		no data