iCompaas Support

Profile Applicability:

• Level 1

Description:

Amazon RDS allows users to configure Security Groups that define the access rules for database instances. Monitoring changes to RDS Security Groups is essential to ensure that unauthorized modifications do not affect the accessibility and security of the RDS instances. Event subscriptions for RDS Security Groups allow administrators to receive notifications when security group configurations are altered.

This SOP ensures that RDS security group events are subscribed to so that changes are detected in real time, providing an additional layer of monitoring and auditing for compliance and security purposes.

Rationale:

• Security Monitoring: Subscribing to RDS security group events ensures that any unauthorized or accidental changes to security group rules are detected immediately.

• Change Management: Provides an audit trail of security group modifications, aiding in troubleshooting and compliance with internal or external security policies.

• Compliance: Many security and compliance frameworks require monitoring of critical security settings, such as security group changes, to ensure only authorized modifications occur.

• Risk Reduction: By monitoring security group changes, organizations can quickly identify and remediate any misconfigurations or vulnerabilities introduced through mismanaged security group settings.

Impact:

Pros:

• Immediate Notifications: Real-time alerts when security group settings are changed, enabling rapid remediation of unauthorized changes.

• Enhanced Security: Helps protect RDS instances from accidental exposure due to unapproved security group rule modifications.

• Compliance Assurance: Enables continuous monitoring to meet security audit requirements and ensure compliance with regulations like PCI-DSS, SOC 2, HIPAA.

• Better Change Management: Improves change tracking and accountability in security configurations.

Cons:

• Notification Overload: If not properly configured, security group event notifications can become overwhelming, especially if there are frequent rule modifications.

• Management Overhead: Setting up and managing event subscriptions requires time and resources to ensure they are configured correctly and receiving the right alerts.

Default Value:

By default, RDS security group events are not subscribed. Event subscriptions must be explicitly created to receive notifications for changes in security groups.

Pre-requisite:

• AWS IAM Permissions:

  • rds:DescribeEventSubscriptions

  • rds:CreateEventSubscription

  • sns:Publish

• AWS CLI installed and configured.

• A pre-existing SNS topic for event notifications.

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon RDS under Services.

3. In the RDS Dashboard, go to Event Subscriptions.

4. Review the list of existing event subscriptions:

   • Ensure that there is an active subscription for RDS security group events.

   • Check the SNS topic associated with the subscription to verify that it is configured to notify the right recipients.

5. If no subscription exists, click Create Event Subscription.

   • Select RDS Security Group as the Source Type.

   • Choose the event categories for security group changes (e.g., Configuration Changes, Security Group Modification).

   • Select the SNS topic for notifications.

6. Save the subscription and verify that alerts are sent to the SNS topic when changes are made to RDS security groups.

Using AWS CLI:

1. To check for existing event subscriptions, run:
   

   aws rds describe-event-subscriptions --query 'EventSubscriptionsList[*].[SubscriptionName, SnsTopicArn, Enabled]'

2. Review the output to confirm that RDS security group events are subscribed to.

3. To create a new event subscription for security groups, run:
   

   aws rds create-event-subscription --subscription-name <subscription-name> --sns-topic-arn <sns-topic-arn> --source-type db-security-group --event-categories "configuration change", "maintenance"

4. Verify the subscription by running:
   

   aws rds describe-event-subscriptions --subscription-name <subscription-name>

Implementation Steps:

Using AWS Console:

1. Log in to the AWS Management Console and navigate to Amazon RDS.

2. In the RDS Dashboard, go to Event Subscriptions and click Create Event Subscription.

3. Provide the following details:

   • Subscription Name: Name for the event subscription.

   • SNS Topic ARN: Choose the SNS topic for event notifications.

   • Source Type: Select DB Security Group.

   • Event Categories: Choose the event categories such as Configuration Change, Maintenance, and Security Group Modification.

4. Click Create Subscription and ensure it is properly configured.

5. Test the subscription by making a change to an RDS security group and verifying that the notification is received.

Using AWS CLI:

1. To create an event subscription for RDS security group events, run:
   

   aws rds create-event-subscription --subscription-name <subscription-name> --sns-topic-arn <sns-topic-arn> --source-type db-security-group --event-categories "configuration change", "maintenance"

2. Verify the event subscription with:
   

   aws rds describe-event-subscriptions --subscription-name <subscription-name>

Backout Plan:

Using AWS Console:

1. If subscribing to security group events causes issues or unnecessary notifications, sign in to the AWS Management Console.

2. Navigate to Amazon RDS, select Event Subscriptions, and find the subscription for security group events.

3. Delete or modify the subscription as needed.

Using AWS CLI:

1. To remove the event subscription, run the following command:
   

   aws rds delete-event-subscription --subscription-name <SUBSCRIPTION_NAME>

2. Verify that the subscription has been deleted:
   

   aws rds describe-event-subscriptions --subscription-name <SUBSCRIPTION_NAME>

References:

• Amazon RDS Documentation: Event Subscriptions

• AWS CLI: create-event-subscription

• AWS CLI: describe-event-subscriptions

CIS Controls Mapping: