Create Alert for RDS Instance Configuration Changes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that you have an alert monitoring rule and an alert configured to trigger a notification alarm whenever an RDS database instance configuration change is made. Your alert monitoring rule should query ActionTrail logs for events related to RDS modifications, such as "ModifyDBInstanceSpec", "ModifyDBInstanceSSL", and "DeleteBackup".


Using Simple Log Service (SLS) alerts to detect RDS instance configuration changes helps prevent accidental or intentional modifications that could lead to unauthorized access or other security breaches. Misconfiguration can have negative effects on business operations, disaster recovery, and High Availability (HA), while also raising vulnerability to untrusted networks. Therefore, it is highly advised to monitor your Alibaba Cloud account for RDS configuration changes.


To dentify if an SLS alert exists and is configured correctly to monitor RDS instance configuration changes in your Alibaba Cloud account, perform the following operations:

Checking for Simple Log Service (SLS) alerts via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Simple Log Service (SLS) console available at

03 In the Log Application section, select the Audit & Security tab, and choose Log Audit Service.

04 In the left navigation panel, under Access to Cloud Products, choose Global Configurations.

05 Select the cloud region of the SLS central project from the Region of the Central Project dropdown list. If the Region of the Central Project is already configured, continue the Audit process with the next step.

06 Ensure that Operations Log is enabled for ActionTrail, and click on the name (link) of the SLS central project, listed next to Central Project. If the name of the central project is not a link (the name is not clickable), there is no SLS central project created for managing log resources, available in the selected region. If the name of the central project is a link, click on the link to access your SLS central project.

07 Choose Alerts (bell icon) from the left navigation panel and select the Alert rule tab to access your alert monitoring rules.

08 Select actiontrail_log from the Search Logstore dropdown list to return only the monitoring rules associated with the actiontrail_log logstore.

09 Choose the active alert monitoring rule that you want examine, and select Edit. A monitoring rule is active when the Status of the rule is Running. If there are no alert monitoring rules listed on this page, there is no SLS alert configured to detect RDS instance configuration changes, otherwise, continue with the next step.

10 On the Edit Alert configuration panel, click on the query statement next to Query Statistics, and ensure that the following SQL query is present in the Query box: event.serviceName: Rds AND (event.eventName: ModifyHASwitchConfig OR event.eventName: ModifyDBInstanceHAConfig OR event.eventName: SwitchDBInstanceHA OR event.eventName: ModifyDBInstanceSpec OR event.eventName: MigrateSecurityIPMode OR event.eventName: ModifySecurityIps OR event.eventName: ModifyDBInstanceSSL OR event.eventName: MigrateToOtherZone OR event.eventName: UpgradeDBInstanceKernelVersion OR event.eventName: UpgradeDBInstanceEngineVersion OR event.eventName: ModifyDBInstanceMaintainTime OR event.eventName: ModifyDBInstanceAutoUpgradeMinorVersion OR event.eventName: AllocateInstancePublicConnection OR event.eventName: ModifyDBInstanceConnectionString OR event.eventName: ModifyDBInstanceNetworkExpireTime OR event.eventName: ReleaseInstancePublicConnection OR event.eventName: SwitchDBInstanceNetType OR event.eventName: ModifyDBInstanceNetworkType OR event.eventName: ModifyDBInstanceSSL OR event.eventName: ModifyDTCSecurityIpHostsForSQLServer OR event.eventName: ModifySecurityGroupConfiguration OR event.eventName: CreateBackup OR event.eventName: ModifyBackupPolicy OR event.eventName: DeleteBackup OR event.eventName: CreateDdrInstance OR event.eventName: ModifyInstanceCrossBackupPolicy OR event.eventName :ModifySQLCollectorPolicy OR event.eventName:ModifyDBInstanceTDE ) | SELECT "event.userIdentity.accountId" as account_id, "event.requestParameters.DBInstanceId" as db_instance_id, "event.eventName" as event_name,"event.userIdentity.principalId" as ram_user_id, arbitrary("event.userIdentity.type") as user_type,arbitrary("event.userIdentity.userName") as user_name group by account_id,ram_user_id,db_instance_id,event_name limit 1000. If the specified SQL query is not available in the Query box, the selected alert monitoring rule is not configured to detect RDS instance configuration changes. If the specified SQL query is present, return to the Edit Alert panel, choose Simple Log Service Notification for Destination, and ensure that the feature is enabled and has an alert policy configured to send notifications. If the Simple Log Service Notification feature is not enabled and properly configured, the selected SLS alert is not configured to send notifications whenever an RDS instance configuration change occurs.

11 Repeat steps no. 9 and 10 for each alert monitoring rule available in your Alibaba Cloud account.

Remediation / Resolution

To ensure that a Simple Log Service (SLS) alert exists for RDS instance configuration changes, perform the following operations:

Creating and managing Simple Log Service (SLS) alerts via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Simple Log Service (SLS) console available at

03 In the Log Application section, select the Audit & Security tab, and choose Log Audit Service.

04 In the left navigation panel, under Access to Cloud Products, choose Global Configurations.

05 Select the cloud region required for your SLS central project from the Region of the Central Project dropdown list. If the Region of the Central Project is already configured and the Central Project is available, continue the Audit process with step 8.

06 Enable Operations Log for ActionTrail, and set the data retention period of the SLS Logstore in the Storage Method column.

07 Choose Save to apply the configuration changes. This will create the SLS central project required for managing log resources.

08 Click on the name (link) of the SLS central project, listed next to Central Project.

09 Choose Alerts (bell icon) from the left navigation panel and select the Alert rule tab.

10 Choose Create Alert and perform the following actions:

  1. Select Create from Template, choose All Templates, and select the RDS Instance Configuration Change Alert built-in monitoring rule.
  2. For Rule Name, provide a name for your new Simple Log Service (SLS) alert.
  3. For Check Frequency, specify a check frequency and a time range based on your requirements on data timeliness and integrity.
  4. Click on Query Statistics and ensure that Logstore is set to actiontrail_log and the following SQL query is present in the Query box: event.serviceName: Rds AND (event.eventName: ModifyHASwitchConfig OR event.eventName: ModifyDBInstanceHAConfig OR event.eventName: SwitchDBInstanceHA OR event.eventName: ModifyDBInstanceSpec OR event.eventName: MigrateSecurityIPMode OR event.eventName: ModifySecurityIps OR event.eventName: ModifyDBInstanceSSL OR event.eventName: MigrateToOtherZone OR event.eventName: UpgradeDBInstanceKernelVersion OR event.eventName: UpgradeDBInstanceEngineVersion OR event.eventName: ModifyDBInstanceMaintainTime OR event.eventName: ModifyDBInstanceAutoUpgradeMinorVersion OR event.eventName: AllocateInstancePublicConnection OR event.eventName: ModifyDBInstanceConnectionString OR event.eventName: ModifyDBInstanceNetworkExpireTime OR event.eventName: ReleaseInstancePublicConnection OR event.eventName: SwitchDBInstanceNetType OR event.eventName: ModifyDBInstanceNetworkType OR event.eventName: ModifyDBInstanceSSL OR event.eventName: ModifyDTCSecurityIpHostsForSQLServer OR event.eventName: ModifySecurityGroupConfiguration OR event.eventName: CreateBackup OR event.eventName: ModifyBackupPolicy OR event.eventName: DeleteBackup OR event.eventName: CreateDdrInstance OR event.eventName: ModifyInstanceCrossBackupPolicy OR event.eventName :ModifySQLCollectorPolicy OR event.eventName:ModifyDBInstanceTDE ) | SELECT "event.userIdentity.accountId" as account_id, "event.requestParameters.DBInstanceId" as db_instance_id, "event.eventName" as event_name,"event.userIdentity.principalId" as ram_user_id, arbitrary("event.userIdentity.type") as user_type,arbitrary("event.userIdentity.userName") as user_name group by account_id,ram_user_id,db_instance_id,event_name limit 1000. Select Preview to test the query and choose Confirm.
  5. For Group Evaluation, choose Custom Label, and select account_id, ram_user_id, and event_name.
  6. For Trigger Condition, choose When: Data is returned, and select the appropriate severity level.
  7. For Add Annotation, enter The configuration of the RDS instance ${db_instance_id} under the account ${account_id} has changed. The type of change: ${event_name}. Operation account ID: ${ram_user_id}, account name: ${user_name}, account type: ${user_type}. for desc and RDS Instance Configuration Change Alert for title.
  8. Choose Advanced Settings and set Threshold of Continuous Triggers to 1. For No Data Alert, choose whether to trigger an alert if no data exists.
  9. For Destination, choose Simple Log Service Notification, select Enable, and configure the necessary Alert Policy. You can use one of the following options to configure your alert policy: Simple Mode - where a built-in policy manages alerts and automatically creates an action policy, Standard Mode - where a built-in policy manages alerts and you only need to specify an action policy, or Advanced Mode - where you can select a built-in alert policy to merge the alerts of multiple alert monitoring rules. For example, you can set the Alert Policy to Advanced Mode and select the SLS audit built-in alert policy ( You can also set a Repeat Interval at this point. If an alert is repeatedly triggered, the alert notification is sent only after the specified Repeat Interval.
  10. Choose OK to create your Simple Log Service (SLS) alert for monitoring RDS instance configuration changes.


Publication date Apr 29, 2024