Profile Applicability:

  • Level 1

Description:

Amazon RDS Enhanced Monitoring provides real-time metrics for the operating system (OS) of your RDS DB instances. It gives you detailed insights into the underlying infrastructure performance, including CPU, memory, disk, and network I/O metrics at the OS level. This SOP ensures that Enhanced Monitoring is enabled for RDS instances to improve visibility into instance performance and to support troubleshooting and operational monitoring.

Rationale:

  • Enhanced Visibility: Enhanced Monitoring allows for real-time insights into the health and performance of RDS instances, providing valuable metrics such as memory utilization, CPU load, and disk I/O.

  • Proactive Monitoring: It enables proactive monitoring by collecting OS-level metrics, allowing you to detect issues early and take action before they impact applications.

  • Troubleshooting: Enhanced Monitoring simplifies troubleshooting by offering detailed, fine-grained performance data that can help diagnose performance bottlenecks or failure points.

  • Compliance: Many compliance frameworks require continuous monitoring to detect and respond to security events or performance anomalies.

Impact:

Pros:

  • Improved Performance Monitoring: Provides deep visibility into the internal workings of RDS instances, beyond the standard CloudWatch metrics.

  • Better Resource Management: Allows you to track system resource usage, enabling better resource allocation and optimization.

  • Enhanced Troubleshooting: Real-time metrics help identify and diagnose performance or resource issues more effectively.

Cons:

  • Additional Cost: Enabling Enhanced Monitoring may lead to increased CloudWatch metrics usage and incur additional costs.

  • Performance Overhead: While minimal, the collection of enhanced metrics can add some performance overhead on the RDS instance.

Default Value:

By default, Enhanced Monitoring is not enabled for RDS instances when they are created. It must be manually enabled during the creation or modification of the RDS instance.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBInstances

    • rds:ModifyDBInstance

    • cloudwatch:PutMetricData

  • AWS CLI installed and configured.

  • Ensure that you have permissions to manage RDS instances and CloudWatch metrics.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Databases.

  4. Select the RDS instance you want to check.

  5. In the Configuration tab, check the Monitoring section for Enhanced Monitoring:

    • If Enhanced Monitoring is enabled, it will show the Monitoring Role and the Granularity (usually in seconds).

    • If Enhanced Monitoring is disabled, the section will not display this information.

  6. If Enhanced Monitoring is not enabled, you can modify the instance to enable it.

Using AWS CLI:

  1. To check if Enhanced Monitoring is enabled for an RDS instance, run the following command:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,MonitoringInterval:MonitoringInterval}'

  2. Review the output:

  • If MonitoringInterval is greater than 0, Enhanced Monitoring is enabled.

  • If MonitoringInterval is 0 or missing, Enhanced Monitoring is not enabled.

  1. To enable Enhanced Monitoring, use the following command:

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --monitoring-interval <granularity-in-seconds> --monitoring-role-arn <role-arn> --apply-immediately

  2. Verify that Enhanced Monitoring is enabled by running:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,MonitoringInterval:MonitoringInterval}'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. In the RDS Dashboard, select Databases and choose the RDS instance for which you want to enable Enhanced Monitoring.

  3. Click Modify.

  4. In the Monitoring section, enable Enhanced Monitoring:

    • Set the Granularity (e.g., 1 second, 5 seconds, etc.).

    • Choose the Monitoring Role (AWS will automatically create a default role if needed).

  5. Click Continue, then Apply Changes.

Using AWS CLI:

  1. To enable Enhanced Monitoring for an RDS instance, run the following command:

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --monitoring-interval <granularity-in-seconds> --monitoring-role-arn <role-arn> --apply-immediately


  2. Verify that Enhanced Monitoring has been successfully enabled:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,MonitoringInterval:MonitoringInterval}'

Backout Plan:

Using AWS Console:

  1. If enabling Enhanced Monitoring causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the DB instance, and click Modify.

  3. Set the Monitoring Interval to 0 to disable Enhanced Monitoring.

  4. Save the changes and verify that Enhanced Monitoring has been disabled.

Using AWS CLI:

  1. To disable Enhanced Monitoring, run the following command:

    aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_ID> --monitoring-interval 0 --apply-immediately

  2. Verify that Enhanced Monitoring has been disabled:

    aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.