Rule: RDS DB Instance and Cluster Enhanced Monitoring Enabled
This rule ensures enabling enhanced monitoring for RDS DB instances and clusters.
| Rule | RDS DB instance and cluster enhanced monitoring should be enabled |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
RDS DB Instance and Cluster Enhanced Monitoring - Rule Description
The rule states that the Enhanced Monitoring feature should be enabled for Amazon RDS (Relational Database Service) DB instances and clusters in order to comply with the NIST Cybersecurity Framework (CSF) v1. Enhanced Monitoring provides deeper insights into the performance and resource utilization of RDS instances, helping to identify potential security or operational issues.
Enabling Enhanced Monitoring for RDS DB instances and clusters ensures the availability, integrity, and confidentiality of the data stored within the database. It allows for better detection and response to incidents, improving overall security posture and reducing the risk of potential security breaches.
Troubleshooting Steps
Step 1: Verify RDS Service Support
Ensure that the AWS region where your RDS instances and clusters are deployed supports Enhanced Monitoring. You can refer to the AWS Regional Services List (https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) to verify service availability.
Step 2: Check IAM Permissions
Make sure that the IAM user or role used to manage RDS instances and clusters has the necessary permissions to enable and configure Enhanced Monitoring. The required permissions include
rds:EnableEnhancedMonitoringrds:DescribeDBInstancesStep 3: Verify Compatibility
Confirm that your RDS instance's database engine version is compatible with Enhanced Monitoring. Not all database engine versions support this feature. Refer to the AWS documentation for the specific database engine you are using to check its compatibility with Enhanced Monitoring.
Step 4: Check Instance Identifier/Cluster Identifier
Ensure that you have the correct RDS instance identifier or cluster identifier for the instance or cluster where you want to enable Enhanced Monitoring. You will need this identifier when executing the necessary commands or APIs.
Necessary Codes
Before proceeding, make sure you have the AWS Command Line Interface (CLI) installed and properly configured with the necessary credentials.
Enable Enhanced Monitoring for an RDS DB Instance
To enable Enhanced Monitoring for an RDS DB instance using the AWS CLI, execute the following command:
aws rds modify-db-instance --db-instance-identifier <instance_identifier> --monitoring-interval <interval>
: Replace this with the identifier of the RDS DB instance you want to enable Enhanced Monitoring for.<instance_identifier>
: Replace this with the desired monitoring interval (in seconds). Valid values are<interval>
(disabling monitoring),0
,1
,5
,10
,15
,30
,60
, and120
.180
Enable Enhanced Monitoring for an RDS Cluster
To enable Enhanced Monitoring for an RDS cluster using the AWS CLI, execute the following command:
aws rds modify-db-cluster --db-cluster-identifier <cluster_identifier> --engine-mode <engine_mode> --cloudwatch-log-exports '["db"]'
: Replace this with the identifier of the RDS cluster you want to enable Enhanced Monitoring for.<cluster_identifier>
: Replace this with the engine mode of the RDS cluster (e.g.,<engine_mode>
,parallelquery
).multimaster- Note: The
parameter with the value--cloudwatch-log-exports
ensures the monitoring data is exported to CloudWatch.'["db"]'
Step-by-Step Guide for Remediation
Follow these steps to enable Enhanced Monitoring for RDS DB instances and clusters:
Enabling Enhanced Monitoring for an RDS DB Instance
- 1.Open a terminal or command prompt.
- 2.Execute the following command to enable Enhanced Monitoring for an RDS DB instance:
aws rds modify-db-instance --db-instance-identifier <instance_identifier> --monitoring-interval <interval>
- 1.Replace
with the identifier of the RDS DB instance you want to enable Enhanced Monitoring for.<instance_identifier> - 2.Replace
with the desired monitoring interval (in seconds). Choose an appropriate value based on your monitoring requirements.<interval> - 3.Press Enter to execute the command.
- 4.Monitor the command output for any errors or confirmation messages.
Enabling Enhanced Monitoring for an RDS Cluster
- 1.Open a terminal or command prompt.
- 2.Execute the following command to enable Enhanced Monitoring for an RDS cluster:
aws rds modify-db-cluster --db-cluster-identifier <cluster_identifier> --engine-mode <engine_mode> --cloudwatch-log-exports '["db"]'
- 1.Replace
with the identifier of the RDS cluster you want to enable Enhanced Monitoring for.<cluster_identifier> - 2.Replace
with the engine mode of the RDS cluster. Choose the appropriate engine mode based on your cluster configuration.<engine_mode> - 3.Press Enter to execute the command.
- 4.Monitor the command output for any errors or confirmation messages.
Conclusion
Following the troubleshooting steps and using the necessary codes, you can enable the Enhanced Monitoring feature for your RDS DB instances and clusters. This ensures compliance with the NIST Cybersecurity Framework (CSF) v1 and provides valuable insights into the performance and security of your database environment.