Profile Applicability
• Level 1
Description
Implement monitoring and alerting for your database services using Amazon CloudWatch, EventBridge, and other AWS tools to detect and respond to anomalies in performance, usage, and potential security events.
Rationale
Monitoring and alerting ensure continuous visibility into the health and performance of services. Prompt alerts enable timely response to operational or security incidents, reducing downtime and exposure.
Impact
Pros: Improves incident response time, operational insight, and security visibility.
− Cons: May introduce additional cost due to CloudWatch metrics and logs usage.
Default Value
By default, monitoring and alerting are not enabled in all AWS database services.
Pre-Requisites
• AWS CloudWatch permissions
• Configured database cluster
• IAM roles for CloudWatch and EventBridge if used
Remediation
Test Plan
Sign in to the AWS Management Console
Navigate to the relevant database console (e.g., DocumentDB, Neptune, ElastiCache)
Verify that enhanced monitoring is enabled
Check for configured CloudWatch alarms
Validate EventBridge rules if used
Confirm alerts are triggered on threshold breaches
Implementation Plan
Using AWS Console
Sign in to AWS Console
Go to the database service (e.g., Amazon DocumentDB)
Select the cluster and go to Monitoring tab
Enable Enhanced Monitoring and select interval
Go to CloudWatch > Alarms
Click Create Alarm
Select metric (e.g., CPU, memory)
Set threshold and actions (e.g., email, SNS)
Click Create Alarm
(Optional) Go to EventBridge > Rules
Click Create rule, define event pattern
Set target (Lambda, SNS, etc.) and create rule
Using AWS CLI
Enable monitoring:
aws docdb modify-db-instance --db-instance-identifier mydbinstance --monitoring-interval 60
Create alarm:
aws cloudwatch put-metric-alarm --alarm-name HighCPUUtilization \ --metric-name CPUUtilization --namespace AWS/DocDB \ --statistic Average --period 300 --threshold 80 \ --comparison-operator GreaterThanThreshold \ --evaluation-periods 2 --alarm-actions arn:aws:sns:us-east-1:123456789012:MyTopic
(Optional) Create EventBridge rule:
aws events put-rule --name MonitorDBEvents --event-pattern file://pattern.json
Add target:
aws events put-targets --rule MonitorDBEvents \ --targets "Id"="1","Arn"="arn:aws:lambda:us-east-1:123456789012:function:MyFunction"
Backout Plan
Using AWS Console
Go to CloudWatch > Alarms
Select alarm and click Delete
Go to database service and disable Enhanced Monitoring
Go to EventBridge > Rules and delete the rule
Using AWS CLI
Delete alarm:
aws cloudwatch delete-alarms --alarm-names HighCPUUtilization
Disable monitoring:
aws docdb modify-db-instance --db-instance-identifier mydbinstance --monitoring-interval 0
Delete EventBridge rule:
aws events remove-targets --rule MonitorDBEvents --ids 1 aws events delete-rule --name MonitorDBEvents
References
CIS Benchmark - DocumentDB 7.8
CIS Controls Mapping