🛡️ AWS RDS Security Group Event Subscription for critical events is not configured🟢

• Contextual name: 🛡️ Security Group Event Subscription for critical events is not configure🟢
• ID: /ce/ca/aws/rds/security-group-event-subscription
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS Account
  • 🔌 AWS RDS Event Subscription - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: RDS Event Notifications

Description

Open File

Description

This control evaluates whether Amazon RDS event subscriptions are configured to send notifications for the following source type and event categories:

• Source type: db-security-group
• Event categories: configuration change, failure

Amazon RDS event notifications use Amazon SNS to inform you of changes to the configuration or availability of RDS security groups, enabling timely operational awareness.

Rationale

Monitoring RDS security groups is critical for maintaining the security posture of your database instances. Event notifications provide immediate awareness when a security group's configuration is modified, which could introduce unauthorized access, or when a failure occurs related to the security group.

Audit

This policy flags an AWS Account as INCOMPLIANT if no Amazon RDS Event Subscriptions are configured to notify on configuration change and failure events for the db-security-group source type.

References

1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Monitoring.html

... see more

Remediation

Open File

Remediation

Create an RDS Event Subscription

Configure Amazon RDS event subscriptions to receive notifications for configuration change and failure events for DB security groups.

From Console

1. Sign in to the AWS Management Console.

2. Navigate to the Amazon RDS console.

3. In the navigation pane, under Amazon RDS, select Event subscriptions.

4. Choose Create event subscription.

5. On the Create event subscription page, configure the following settings:

   • Enter a unique name in the Name field.

   Target Section

   • For Send notifications to, choose one of the following:

     • Create a new Amazon SNS topic. Provide a unique Topic name and specify the email address(es) to receive notifications.
     • Select an existing Amazon SNS topic by choosing its ARN from the list.

   Source Section

   • Set Source type to Database Security Group.
   • For Database Security Groups to include, select All Database Security Groups.
   • For Event categories to include, select Select specific event categories and choose configuration change and failure.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.22] An RDS event notifications subscription should be configured for critical database security group events			1		no data
💼 Cloudaware Framework → 💼 System Configuration			69		no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		27		no data
💼 FedRAMP High Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)	2	7	23		no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		27		no data
💼 FedRAMP Low Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)			23		no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		27		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)	2		23		no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			50		no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			65		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			180		no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			27		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			100		no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			50		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181		no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			45		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			59		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			60		no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			46		no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			49		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		27		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2 Flaw Remediation	6	6	20		no data
💼 PCI DSS v3.2.1 → 💼 11.5 Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files.	1		5		no data
💼 PCI DSS v4.0.1 → 💼 11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed.			4		no data
💼 PCI DSS v4.0 → 💼 11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed.			4		no data