Rule: RDS DB Instance and Cluster Enhanced Monitoring Should Be Enabled
This rule ensures that RDS DB instance and cluster enhanced monitoring is enabled for better performance and security.
| Rule | RDS DB instance and cluster enhanced monitoring should be enabled |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Rule Description:
Enabling enhanced monitoring for Amazon RDS DB instances and clusters is a recommended security practice, especially for organizations following the CISA Cyber Essentials guidelines. Enhanced monitoring provides detailed insights into the performance of your RDS resources, helping you identify and mitigate potential security risks promptly.
Troubleshooting Steps:
If you encounter any issues while enabling enhanced monitoring for RDS DB instances and clusters, follow these troubleshooting steps:
- 1.
Check IAM Roles: Ensure that the IAM role attached to your RDS instances has the necessary permissions to enable enhanced monitoring. The role should have the "rds:EnableEnhancedMonitoring" action allowed.
- 2.
Verify DB Instance Compatibility: Enhanced monitoring is supported for specific database engine versions and instance classes. Confirm that your RDS DB instances meet the required compatibility criteria.
- 3.
Check Network Connectivity: Ensure that your RDS instances have network connectivity to the required AWS endpoints. This is necessary for enabling enhanced monitoring and sending metric data to CloudWatch.
- 4.
Verify CloudWatch Agent Installation: Enhanced monitoring relies on the CloudWatch agent running on your instances. Verify that the agent is correctly installed and running without any issues.
Necessary Codes:
To enable enhanced monitoring for RDS DB instances and clusters programmatically, you can use the AWS Command Line Interface (CLI) with the following command:
aws rds modify-db-instance --db-instance-identifier <instance-identifier> --monitoring-interval <interval-in-seconds> --monitoring-role-arn <IAM-role-ARN>
Replace
<instance-identifier><interval-in-seconds><IAM-role-ARN>Step-by-Step Guide for Remediation:
- 1.
Log in to the AWS Management Console.
- 2.
Go to the Amazon RDS service.
- 3.
Click on "DB Instances" or "Clusters" from the left-hand menu, depending on whether you want to enable enhanced monitoring for individual instances or clusters.
- 4.
Select the specific DB instance or cluster that you want to enable enhanced monitoring for.
- 5.
Click the "Actions" button and choose "Modify" from the dropdown menu.
- 6.
In the "Enhanced Monitoring" section, select the desired monitoring interval from the dropdown list.
- 7.
Choose the IAM role you want to associate with enhanced monitoring from the "Monitoring Role ARN" dropdown.
- 8.
Click "Continue" and review the summary of modifications.
- 9.
If everything looks correct, click "Modify DB Instance" or "Modify Cluster" to apply the changes.
- 10.
Monitor the modifications in the "Events" tab to ensure successful completion.
Congratulations! You have successfully enabled enhanced monitoring for your RDS DB instances or clusters following the CISA Cyber Essentials guidelines. This will provide in-depth performance monitoring capabilities and contribute to the security of your infrastructure.