AWS RDS Event Subscription Disabled For DB Security Groups

This policy identifies RDS event subscriptions for which DB security groups event subscription is disabled. You can create an Amazon RDS event notification subscription so that you can be notified when an event occurs for given DB security groups.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform, CloudFormation

Build Rules

AWS RDS event subscription disabled for DB security groups.
JSON Queries:
CloudFormation
$.Resources.*[?(@.Type == 'AWS::RDS::DBInstance')] size greater than 0 and (not $.Resources.*[?(@.Type == 'AWS::RDS::EventSubscription')].Properties[?(@.SourceType == 'db-security-group')].Enabled anyTrue)
Terraform
$.resource[*].aws_db_instance exists and ( $.resource[*].aws_db_event_subscription !exists or $.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')] anyNull or not $.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')].enabled anyNull or $.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')].enabled anyTrue )
Recommendations:
  • CloudFormation
    Recommended solution for enabling AWS RDS event subscription.
    It is recommended to enable subscriptions for AWS RDS event. Please make sure that if "SourceType" is equal to "db-security-group" under "EventSubscription", then "Enabled" should be set to true.
    For example:
    "myEventSubscription": { "Type": "AWS::RDS::EventSubscription", "Properties": { "SnsTopicArn": "arn:aws:sns:us-west-2:123456789012:example-topic", "SourceType": "db-security-group", "Enabled": true } }
  • Terraform
    Recommended solution for enabling RDS event subscription for DB security group.
    Ensure that RDS event subscription is enabled for DB security group. Please make sure your template have "enabled" set to true for "aws_db_event_subscription" block.
    For example:
    { "aws_db_event_subscription": [ { "<event_subscription_name>": [ { "event_categories": [ "availability", "deletion" ], "name": "event-sub1", "enabled": true, "sns_topic": "${aws_sns_topic.default.arn}", "source_ids": [ "${aws_db_instance.default.id}" ], "source_type": "db-security-group" } ] } ] }

Run Rule Recommendation

  1. Sign into the AWS console.
  2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated.
  3. Navigate to Amazon RDS Dashboard.
  4. Click on 'Event subscriptions' (Left Panel).
  5. Choose the reported Event subscription.
  6. Click on 'Edit'.
  7. On 'Edit event subscription' page, Under 'Details' section; Select 'Yes' for 'Enabled' and Make sure you have subscribed your DB to 'All instances' and 'All event categories'.
  8. Click on 'Edit'.

Compliance

There are 2 standards that are applicable to this policy:
  • PIPEDA
  • CCPA 2018

Recommended For You