Rule: RDS DB Instance and Cluster Enhanced Monitoring Should Be Enabled
This rule ensures that RDS DB instance and cluster enhanced monitoring is enabled for enhanced security and performance.
| Rule | RDS DB instance and cluster enhanced monitoring should be enabled |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description:
Enabling RDS DB instance and cluster enhanced monitoring is essential for complying with the NIST 800-171 Revision 2 security requirements. This rule aims to ensure that all RDS database instances and clusters within an organization's AWS environment have the enhanced monitoring feature enabled. Enhanced monitoring provides detailed insights into database performance metrics, enabling better troubleshooting, performance optimization, and security monitoring.
Troubleshooting Steps:
- 1.Check RDS instances and clusters: Use the AWS Management Console or AWS CLI to view the list of RDS instances and clusters within your AWS environment.
- 2.Identify instances without enhanced monitoring: Determine which RDS instances and clusters do not have enhanced monitoring enabled. Pay attention to instances that were created before this rule was implemented.
- 3.Verify security group permissions: Ensure that the security groups associated with each RDS instance or cluster allow outbound traffic to the required endpoints for enhanced monitoring. By default, the outbound traffic to these endpoints is allowed, but if any custom security groups are in place, they should be reviewed and updated accordingly.
- 4.Enable enhanced monitoring: For each identified RDS instance or cluster without enhanced monitoring enabled, follow the remediation steps below to enable it.
Remediation Steps:
- 1.
AWS Management Console:
- Sign in to the AWS Management Console.
- Open the Amazon RDS console.
- Select the region where your target RDS instances or clusters are located.
- Click on "Databases" or "Clusters" in the left navigation pane, depending on your requirement.
- Identify the target RDS instance or cluster from the list and click on its name.
- In the "Configuration" tab, under "Enhanced Monitoring", click on "Edit".
- Enable the monitoring by selecting the checkboxes next to the desired metrics.
- Click on "Save changes" to apply the enhanced monitoring configuration.
- 2.
AWS CLI:
Ensure you have the AWS CLI installed and configured with appropriate credentials.
Open the command-line interface or terminal.
Run the following command to enable enhanced monitoring on an RDS instance:
aws rds modify-db-instance --db-instance-identifier <DBInstanceIdentifier> --monitoring-interval <MonitoringInterval> --apply-immediatelyReplace
with the identifier of the target RDS instance and<DBInstanceIdentifier>
with the desired monitoring interval (in seconds).<MonitoringInterval>Alternatively, for RDS clusters, use the following command:
aws rds modify-db-cluster --db-cluster-identifier <DBClusterIdentifier> --cloudwatch-logs-export-configuration <CloudWatchLogsExportConfiguration> --apply-immediatelyReplace
with the identifier of the target RDS cluster and<DBClusterIdentifier>
with the appropriate configuration details.<CloudWatchLogsExportConfiguration>Execute the command, and the enhanced monitoring will be enabled on the specified RDS instance or cluster.
Note: It is recommended to test the changes in a non-production environment before applying them to production instances or clusters.