This rule ensures enhanced monitoring is enabled for RDS DB instances and clusters.
Rule | RDS DB instance and cluster enhanced monitoring should be enabled |
Framework | FedRAMP Moderate Revision 4 |
Severity | ✔ High |
Rule Description
The rule requires enabling enhanced monitoring for Amazon RDS DB instances and clusters in accordance with the FedRAMP Moderate Revision 4 security requirements. Enhanced monitoring provides additional insights and metrics for better visibility into DB instance and cluster performance.
Troubleshooting Steps
If enhanced monitoring is not enabled for RDS DB instances and clusters, follow these troubleshooting steps:
Check if the current RDS instance is running in a supported region. A subset of AWS regions supports enhanced monitoring. Refer to the AWS documentation for a list of supported regions.
Ensure that the DB instance or cluster is running a supported database engine version. Enhanced monitoring may not be available for older database engine versions. Update the database engine to a supported version if necessary.
Verify that the IAM role associated with the DB instance or cluster has the necessary permissions to enable enhanced monitoring. The role should have the
cloudwatch:PutMetricData
action allowed in the IAM policy.Check the configuration settings for the DB instance or cluster. Ensure that the
MonitoringInterval
parameter is set to a value other than zero. If it is set to zero, enhanced monitoring will not be enabled.Necessary Codes
To enable enhanced monitoring for RDS DB instances and clusters, you can use the AWS CLI or SDKs. Below is an example of how to enable enhanced monitoring using the AWS CLI:
aws rds modify-db-instance --db-instance-identifier <instance-identifier> --monitoring-interval <interval>
Replace
<instance-identifier>
with the identifier of your RDS DB instance and <interval>
with the desired monitoring interval in seconds.Note: Enhanced monitoring cannot be enabled or disabled on a running instance directly. To enable enhanced monitoring, you need to create a new instance with the desired monitoring configuration and then migrate your data to the new instance.
Step-by-Step Guide for Remediation
Follow these steps to enable enhanced monitoring for RDS DB instances and clusters in an AWS environment:
Identify the RDS DB instance or cluster that needs enhanced monitoring enabled.
Verify that the AWS region in which the DB instance or cluster is running supports enhanced monitoring. Refer to the AWS documentation for a list of supported regions.
Ensure that the DB instance or cluster is running a supported database engine version. If it is using an older version, consider upgrading the database engine to a supported version.
Check the IAM role associated with the DB instance or cluster. Ensure that the role has the necessary permissions to enable enhanced monitoring. The role should have the
cloudwatch:PutMetricData
action allowed in the IAM policy.Determine the desired monitoring interval for enhanced monitoring. The monitoring interval determines how frequently metrics are collected.
Create a new RDS DB instance or cluster with the desired monitoring configuration. Use the AWS CLI, SDKs, or the AWS Management Console to configure the instance with the necessary monitoring options.
Migrate your data to the new DB instance or cluster, if required. Be sure to follow best practices and take necessary precautions to avoid data loss or downtime during the migration process.
Validate that enhanced monitoring is enabled for the new DB instance or cluster. Use the AWS Management Console, CLI, or APIs to check the monitoring configuration and verify that metrics are being collected.
Update any relevant documentation or configuration management systems to reflect the changes made to enable enhanced monitoring.
Monitor the enhanced metrics and use them to gain insights into the performance of your RDS DB instance or cluster. Leverage these metrics to troubleshoot any performance issues and optimize your database environment.
Conclusion
Enabling enhanced monitoring for RDS DB instances and clusters in accordance with the FedRAMP Moderate Revision 4 security requirements helps to improve visibility and performance management of your database environment. By following the steps outlined above, you can ensure that enhanced monitoring is configured correctly and gain actionable insights to optimize your RDS deployments.