Rule: RDS DB Instance and Cluster Enhanced Monitoring Enabled
This rule ensures that RDS DB instance and cluster enhanced monitoring is enabled for better performance.
| Rule | RDS DB instance and cluster enhanced monitoring should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
RDS DB Instance and Cluster Enhanced Monitoring for NIST 800-53 Revision 5
Overview
Enabling Enhanced Monitoring for Amazon RDS instances and clusters is essential to comply with NIST 800-53 Rev 5 recommendations. The control enhancement that corresponds to this practice is SI-4 (System Monitoring) from NIST 800-53 Rev 5. Enhanced Monitoring provides detailed real-time metrics for the operating system (OS) that can help in the early detection of issues that could affect performance and stability.
Benefits of Enhanced Monitoring
- Improved visibility into the health of your RDS instances and clusters.
- Early detection of issues that could affect availability and performance.
- Compliance with federal standards and guidelines for monitoring system events.
Troubleshooting Common Issues
When you encounter issues while enabling enhanced monitoring, these troubleshooting steps may help:
RDS Instance Not Reporting Metrics
- Check IAM Role: Make sure the IAM role associated with Enhanced Monitoring has the necessary permissions.
- Verify Monitoring Settings: Confirm that the enhanced monitoring interval is correctly set.
- Review CloudWatch Logs: Check for any errors reported in CloudWatch logs that relate to enhanced monitoring.
Performance Metrics Unusual Values
- Confirm Instance Health: Review the instance CPU, memory, and storage to ensure it's functioning correctly.
- Consult RDS Logs: Look into the RDS error logs for any indication of issues causing the performance anomaly.
- Evaluate Workload: Analyze query patterns or jobs that might be causing high resource consumption.
Enabling Enhanced Monitoring with CLI Commands
Here's a step-by-step guide to enable Enhanced Monitoring for an RDS DB instance or cluster:
Step 1: Create an IAM Role for RDS Enhanced Monitoring
An IAM role with the necessary permissions must first be created, which allows RDS to push metrics to CloudWatch.
aws iam create-role --role-name RDSEnhancedMonitoringRole --assume-role-policy-document file://Trust-Policy-For-RDS.json
Create a trust policy file
Trust-Policy-For-RDS.json{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "monitoring.rds.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}
Step 2: Attach the Policy to the IAM Role
Attach the AmazonRDSEnhancedMonitoringRole policy to the role you’ve created.
aws iam attach-role-policy --role-name RDSEnhancedMonitoringRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole
Step 3: Enable Enhanced Monitoring for RDS Instance or Cluster
Update your RDS instance or cluster to use the new IAM role and set the monitoring interval.
For RDS instances:
aws rds modify-db-instance --db-instance-identifier mydbinstance --monitoring-interval 60 --monitoring-role-arn arn:aws:iam::<your_account_id>:role/RDSEnhancedMonitoringRole
For RDS clusters:
aws rds modify-db-cluster --db-cluster-identifier mydbcluster --monitoring-interval 60 --monitoring-role-arn arn:aws:iam::<your_account_id>:role/RDSEnhancedMonitoringRole
Replace
<your_account_id>mydbinstancemydbclusterVerifying Enhanced Monitoring is Enabled
After you've enabled Enhanced Monitoring, verify that it's functioning properly.
aws rds describe-db-instances --db-instance-identifier mydbinstance
or for RDS clusters:
aws rds describe-db-clusters --db-cluster-identifier mydbcluster
Look for the
EnhancedMonitoringThis guide provides you with the necessary steps to enable Enhanced Monitoring for your RDS DB instance or cluster, ensuring compliance with NIST 800-53 Rev 5 recommendations on system monitoring. By following the steps outlined and avoiding common pitfalls, you will be able to enhance the monitoring and security of your cloud resources efficiently.