iCompaas Support

Profile Applicability:

• Level 1

Description:

Amazon RDS (Relational Database Service) provides a mechanism to monitor the status and lifecycle of database instances, including events like failovers, backups, and maintenance. These events can be subscribed to, allowing notifications via Amazon SNS (Simple Notification Service) to be sent when critical events occur. Subscribing to RDS instance events helps ensure that database administrators are notified immediately when important changes or issues occur in RDS instances.

Ensuring that event subscriptions are enabled for your RDS instances allows for proactive monitoring and quick response to critical events, thus maintaining the high availability and security of your database environments.

Rationale:

• Proactive Monitoring: Event subscriptions allow database administrators to receive real-time alerts on RDS instance status, such as failovers, backup completions, or configuration changes.

• Minimized Downtime: With immediate notification of events, issues can be addressed faster, leading to reduced downtime for the RDS instance.

• Security and Compliance: Many compliance frameworks require the monitoring and logging of critical system events. Ensuring RDS events are subscribed aligns with these requirements.

• Operational Efficiency: Provides insights into operational issues without manually checking logs or dashboards.

Impact:

Pros:

• Improved Response Time: Receiving timely notifications ensures faster remediation of issues and reduces the risk of prolonged downtime.

• Security: Helps to quickly identify and mitigate any unauthorized changes or failures within the RDS environment.

• Operational Transparency: Provides visibility into ongoing database operations, helping to ensure everything is running smoothly.

• Compliance: Meeting compliance and auditing requirements for monitoring critical system events.

Cons:

• Notification Overload: Depending on the frequency of events, excessive notifications might result in alert fatigue if not properly filtered.

• Management Overhead: Event subscriptions require proper configuration and management to ensure they align with organizational needs.

Default Value:

By default, RDS instances do not have event subscriptions configured. You need to manually configure event subscriptions to ensure that notifications are sent for relevant events.

Pre-requisite:

• AWS IAM Permissions:

  • rds:DescribeEventSubscriptions

  • rds:CreateEventSubscription

  • sns:Publish

• AWS CLI installed and configured.

• Ensure an SNS topic exists to receive event notifications.

• The RDS instances must be properly configured for event subscriptions.

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon RDS under Services.

3. In the RDS Dashboard, go to Event Subscriptions.

4. Review the list of existing event subscriptions:

   • Ensure that relevant RDS events (such as instance failover, maintenance, backup issues) are being subscribed to.

   • Ensure that an SNS topic is correctly configured to receive notifications.

5. If no subscriptions are present or if the existing subscriptions do not cover critical events, click Create Event Subscription.

   • Select the RDS instance, specify the event categories (failover, maintenance, security), and ensure an SNS topic is configured to receive notifications.

6. Save the configuration and verify that events are being published to the SNS topic.

Using AWS CLI:

1. To check for existing event subscriptions, run:
   

   aws rds describe-event-subscriptions --query 'EventSubscriptionsList[*].[SubscriptionName, SnsTopicArn, Enabled]'

2. If no subscriptions exist, create a new event subscription for RDS instances by running:
   

   aws rds create-event-subscription --subscription-name <subscription-name> --sns-topic-arn <sns-topic-arn> --source-type db-instance --event-categories "failover", "configuration change", "maintenance", "security"

3. To verify that the subscription is active, run:
   

   aws rds describe-event-subscriptions --subscription-name <subscription-name>

Implementation Steps:

Using AWS Console:

1. Log in to the AWS Management Console and navigate to Amazon RDS.

2. In the RDS Dashboard, go to Event Subscriptions.

3. Click Create Event Subscription.

4. Provide the subscription name and select the SNS topic where notifications will be sent.

5. For Source Type, select DB Instance to receive events related to RDS instances.

6. Under Event Categories, select relevant events such as failover, maintenance, backup, and security.

7. Click Create Subscription.

8. Verify that the subscription is working by testing it with an appropriate RDS instance event.

Using AWS CLI:

1. To create an event subscription, run:
   

   aws rds create-event-subscription --subscription-name <subscription-name> --sns-topic-arn <sns-topic-arn> --source-type db-instance --event-categories "failover", "maintenance", "configuration change"

2. To verify the event subscription:
   

   aws rds describe-event-subscriptions --subscription-name <subscription-name>

Backout Plan:

Using AWS Console:

1. If subscribing to RDS instance events causes issues or unnecessary notifications, sign in to the AWS Management Console.

2. Navigate to Amazon RDS, select Event Subscriptions, and find the subscription for RDS instance events.

3. Delete or modify the subscription as needed.

Using AWS CLI:

1. To remove the event subscription, run the following command:
   

   aws rds delete-event-subscription --subscription-name <SUBSCRIPTION_NAME>

2. Verify that the subscription has been deleted:
   

   aws rds describe-event-subscriptions --subscription-name <SUBSCRIPTION_NAME>

References:

• Amazon RDS Documentation: Event Subscriptions

• AWS CLI: create-event-subscription

• AWS CLI: describe-event-subscriptions

CIS Controls Mapping: