Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Instance Level Events Subscriptions

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: RDS-027

Ensure that Amazon RDS event notification subscriptions are enabled for database instance level events. Amazon RDS groups these events into categories that you can subscribe to so that you can be notified when an event in that category occurs. You can subscribe to an event category for a database instance, database snapshot, database parameter group, etc. For example, if you subscribe to the "Backup" category for a given database instance, you will be notified whenever a backup-related event occurs that affects the RDS database instance.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.

Reliability
Performance
efficiency
Operational
excellence

Amazon RDS event subscriptions for instance level events are designed to provide incident notification of event changes triggered at the database engine level such as failure, failover, low storage, maintenance, recovery, or deletion.

Audit

To determine if there are Amazon RDS event subscriptions enabled for instance level events within your AWS account, perform the following operations:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

  3. In the navigation panel, choose Event subscriptions, and check for any subscriptions with the Source type set to Instances in the Event subscriptions section. If there are no such subscriptions listed in the Event subscriptions section, there are no Amazon RDS event subscriptions created for instance level events, available in the selected AWS region.

  4. Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

  1. Run describe-event-subscriptions command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon RDS event subscriptions created for your database instances in the selected AWS cloud region:

    aws rds describe-event-subscriptions
  --region us-east-1
  --query "EventSubscriptionsList[?SourceType == 'db-instance'].CustSubscriptionId"

  2. The command output should return the name(s) of the requested RDS event subscription(s):

    []

    If the describe-event-subscriptions command output returns an empty array, i.e. [], as shown in the output example above, there are no Amazon RDS event subscriptions created for instance level events available in the selected AWS region.

  3. Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable event subscriptions for database instance level events, perform the following operations:

Using AWS CloudFormation

  1. CloudFormation template (JSON):

    {
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Event Subscriptions for Instance Level Events",
	"Parameters": {
		"DBInstanceName": {
			"Default": "mysql-database-instance",
			"Description": "RDS database instance name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "63",
			"AllowedPattern": "^[0-9a-zA-Z-/]*$",
			"ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens."
		},
		"DBInstanceClass": {
			"Default": "db.t3.medium",
			"Description": "DB instance class/type",
			"Type": "String",
			"ConstraintDescription": "Must provide a valid DB instance type."
		},
		"DBAllocatedStorage": {
			"Default": "20",
			"Description": "The size of the database (GiB)",
			"Type": "Number",
			"MinValue": "20",
			"MaxValue": "65536",
			"ConstraintDescription": "Must be between 20 and 65536 GiB."
		},
		"DBName": {
			"Default": "mysqldb",
			"Description": "Database name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "64",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBUsername": {
			"Description": "Master username for database access",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "16",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBPassword": {
			"NoEcho": "true",
			"Description": "Password for database access",
			"Type": "String",
			"MinLength": "8",
			"MaxLength": "41",
			"AllowedPattern": "[a-zA-Z0-9]*",
			"ConstraintDescription": "Must contain only alphanumeric characters."
		}
	},
	"Resources": {
		"SNSTopic": {
			"Type": "AWS::SNS::Topic",
			"Properties": {
				"DisplayName": "cc-rds-notifications"
			}
		},
		"SNSSubscription": {
			"Type": "AWS::SNS::Subscription",
			"Properties": {
				"Protocol": "email",
				"TopicArn": {
					"Ref": "SNSTopic"
				},
				"Endpoint": "email@domain.com"
			}
		},
		"RDSInstance": {
			"Type": "AWS::RDS::DBInstance",
			"Properties": {
				"DBInstanceIdentifier": {
					"Ref": "DBInstanceName"
				},
				"DBName": {
					"Ref": "DBName"
				},
				"MasterUsername": {
					"Ref": "DBUsername"
				},
				"MasterUserPassword": {
					"Ref": "DBPassword"
				},
				"DBInstanceClass": {
					"Ref": "DBInstanceClass"
				},
				"AllocatedStorage": {
					"Ref": "DBAllocatedStorage"
				},
				"Engine": "MySQL",
				"EngineVersion": "5.7.36"
			}
		},
		"RDSEventSubscription": {
			"Type": "AWS::RDS::EventSubscription",
			"Properties": {
				"Enabled": true,
				"EventCategories": [
					"creation",
					"configuration change",
					"low storage",
					"failure",
					"failover",
					"deletion",
					"recovery",
					"restoration"
				],
				"SnsTopicArn": [
					{
						"Ref": "SNSTopic"
					}
				],
				"SourceIds": [
					"rds-db-instance",
					{
						"Ref": "RDSInstance"
					}
				],
				"SourceType": "db-instance"
			}
		}
	}
}

  2. CloudFormation template (YAML):

    AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Event Subscriptions for Instance Level Events
	Parameters:
	DBInstanceName:
		Default: mysql-database-instance
		Description: RDS database instance name
		Type: String
		MinLength: '1'
		MaxLength: '63'
		AllowedPattern: ^[0-9a-zA-Z-/]*$
		ConstraintDescription: Must begin with a letter and must not end with a hyphen
		or contain two consecutive hyphens.
	DBInstanceClass:
		Default: db.t3.medium
		Description: DB instance class/type
		Type: String
		ConstraintDescription: Must provide a valid DB instance type.
	DBAllocatedStorage:
		Default: '20'
		Description: The size of the database (GiB)
		Type: Number
		MinValue: '20'
		MaxValue: '65536'
		ConstraintDescription: Must be between 20 and 65536 GiB.
	DBName:
		Default: mysqldb
		Description: Database name
		Type: String
		MinLength: '1'
		MaxLength: '64'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
		characters.
	DBUsername:
		Description: Master username for database access
		Type: String
		MinLength: '1'
		MaxLength: '16'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
		characters.
	DBPassword:
		NoEcho: 'true'
		Description: Password for database access
		Type: String
		MinLength: '8'
		MaxLength: '41'
		AllowedPattern: '[a-zA-Z0-9]*'
		ConstraintDescription: Must contain only alphanumeric characters.
	Resources:
	SNSTopic:
		Type: AWS::SNS::Topic
		Properties:
		DisplayName: cc-rds-notifications
	SNSSubscription:
		Type: AWS::SNS::Subscription
		Properties:
		Protocol: email
		TopicArn: !Ref 'SNSTopic'
		Endpoint: email@domain.com
	RDSInstance:
		Type: AWS::RDS::DBInstance
		Properties:
		DBInstanceIdentifier: !Ref 'DBInstanceName'
		DBName: !Ref 'DBName'
		MasterUsername: !Ref 'DBUsername'
		MasterUserPassword: !Ref 'DBPassword'
		DBInstanceClass: !Ref 'DBInstanceClass'
		AllocatedStorage: !Ref 'DBAllocatedStorage'
		Engine: MySQL
		EngineVersion: 5.7.36
	RDSEventSubscription:
		Type: AWS::RDS::EventSubscription
		Properties:
		Enabled: true
		EventCategories:
			- creation
			- configuration change
			- low storage
			- failure
			- failover
			- deletion
			- recovery
			- restoration
		SnsTopicArn:
			- !Ref 'SNSTopic'
		SourceIds:
			- rds-db-instance
			- !Ref 'RDSInstance'
		SourceType: db-instance

Using Terraform (AWS Provider)

  1. Terraform configuration file (.tf):

    terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_sns_topic" "sns-topic" {
	name = "cc-rds-notifications"
}

resource "aws_sns_topic_subscription" "sns-topic-subscription" {
	topic_arn = aws_sns_topic.sns-topic.arn
	protocol  = "email"
	endpoint  = "email@domain.com"
}

resource "aws_db_instance" "rds-database-instance" {
	allocated_storage     = 50
	engine                = "mysql"
	engine_version        = "5.7"
	instance_class        = "db.t3.medium"
	name                  = "[database-name]"
	username              = "[master-username]"
	password              = "[master-password]"
	parameter_group_name  = "default.mysql5.7"
}

# Enable Event Subscriptions for Instance Level Events
resource "aws_db_event_subscription" "rds-event-subscription" {
	name        = "cc-rds-db-event-subscription"
	sns_topic   = aws_sns_topic.sns-topic.arn
	source_type = "db-instance"
	source_ids  = [aws_db_instance.rds-database-instance.id]
	event_categories = [
		"creation",
		"configuration change",
		"failover",
		"failure",
		"low storage",
		"deletion",
		"recovery",
		"restoration"
	]
}

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

  3. In the navigation panel, under Amazon RDS, choose Event subscriptions.

  4. Choose Create event subscription to initiate the subscription setup process.

  5. On the Create event subscription setup page, perform the following actions:

    1. Provide a unique name for the event subscription in the Name box.
    2. In the Target section, perform one of the following commands:
      • Select New email topic for Send notifications to, to create and configure a new Amazon SNS topic. If you choose this option, you must provide a unique name for your new SNS topic in the Topic name box and specify the email address(es) to send the notifications to, in the With these recipients configuration box.
      • Select ARN for Send notifications to, to choose an existing Amazon SNS topic. Select the Amazon Resource Name (ARN) of the existing SNS topic from the ARN dropdown list.
    3. In the Source section, perform the following commands:
      • Select Instances from the Source Type dropdown list. This is the type of the RDS resource which this subscription will consume events from.
      • For Instances to include, choose All instances to include all your database instances in the event subscription.
      • For Event categories to include, choose All event categories to include all supported events.
    4. Choose Create to create your new Amazon RDS event subscription.

  6. Repeat steps no. 4 and 5 to create event subscriptions for other Amazon RDS instances provisioned within the current AWS region.

  7. Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

  1. Run create-topic command (OSX/Linux/UNIX) to create a new Amazon SNS topic for sending notifications whenever an instance level event occurs for the selected Amazon RDS database instance:

    aws sns create-topic
  --name cc-rds-instance-alarm-topic

  2. The command output should return the Amazon Resource Name (ARN) of the newly created Amazon SNS topic:

    {
	"TopicArn": "arn:aws:sns:us-east-1:12345678901:cc-rds-instance-alarm-topic"
}

  3. Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (i.e. the email address provided):

    aws sns subscribe
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-rds-instance-alarm-topic
  --protocol email
  --notification-endpoint alerts@example.com

  4. Run confirm-subscription command (OSX/Linux/UNIX) to confirm the email subscription by validating the token sent to the notification endpoint selected (the command does not produce an output):

    aws sns confirm-subscription
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-rds-instance-alarm-topic
  --token abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd

  5. Once the required Amazon SNS topic is created and configured, execute create-event-subscription command (OSX/Linux/UNIX) to create an Amazon RDS event notification subscription for all the supported database instance level events:

    aws rds create-event-subscription
  --region us-east-1
  --subscription-name cc-db-instance-event-subscription
  --sns-topic-arn arn:aws:sns:us-east-1:12345678901:cc-rds-instance-alarm-topic
  --source-type db-instance
  --event-categories "availability" "backup" "configuration change" "creation" "deletion" "failover" "failure" "low storage" "maintenance" "notification" "read replica" "recovery" "restoration"
  --enabled

  6. The command output should return the metadata available for the newly created event subscription:

    {
	"EventSubscription": {
		"Status": "creating",
		"SubscriptionCreationTime": "Wed Apr 19 11:14:00 UTC 2018",
		"SourceType": "db-instance",
		"EventCategoriesList": [
			"availability",
			"backup",
			"configuration change",
			"creation",
			"deletion",
			"failover",
			"failure",
			"low storage",
			"maintenance",
			"notification",
			"read replica",
			"recovery",
			"restoration"
		],
		"EventSubscriptionArn": "arn:aws:rds:us-east-1:123456789012:es:cc-db-instance-event-subscription",
		"CustSubscriptionId": "cc-db-instance-event-subscription",
		"Enabled": true,
		"SnsTopicArn": "arn:aws:sns:us-east-1:12345678901:cc-rds-instance-alarm-topic",
		"CustomerAwsId": "123456789012"
	}
}

  7. Repeat steps no. 1 – 6 to create event subscriptions for other Amazon RDS instances available in the selected AWS region.

  8. Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 19, 2018

Related RDS rules