RDS DB Instance and Cluster Enhanced Monitoring Rule
This rule emphasizes enabling enhanced monitoring for RDS DB instances and clusters.
| Rule | RDS DB instance and cluster enhanced monitoring should be enabled |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
Rule Description
The NIST Cybersecurity Framework (CSF) v1 requires that RDS (Relational Database Service) DB instances and clusters have enhanced monitoring enabled. Enhanced monitoring provides additional visibility into the performance and resource utilization of your RDS resources, helping to identify potential issues and optimize database performance.
Troubleshooting Steps (if applicable)
If you encounter any issues while enabling enhanced monitoring for RDS DB instances or clusters, you can follow these troubleshooting steps:
- 1.
Verify IAM Role: Ensure that the IAM role associated with your RDS DB instance or cluster has the necessary permissions to enable enhanced monitoring. The IAM role should have the
policy attached.AmazonRDSEnhancedMonitoringRole - 2.
Check DB Instance/Cluster Engine Version: Enhanced monitoring is available for specific versions of RDS engines. Ensure that you are using a supported engine version for your DB instance or cluster. You can refer to the AWS documentation for the list of supported engine versions.
- 3.
Confirm Available Storage Space: Enhanced monitoring requires additional storage space to store performance metrics. Check the available storage space for your RDS instance or cluster, and make sure it has sufficient capacity to accommodate the enhanced monitoring data.
- 4.
Verify Network Connectivity: Ensure that your RDS instance or cluster has proper network connectivity to communicate with the CloudWatch service. Check the security group rules and network settings to ensure there are no restrictions blocking the communication.
Necessary Codes (if applicable)
To enable enhanced monitoring for RDS DB instances or clusters, you need to use the AWS Command Line Interface (CLI) or SDKs. There are no specific codes for this rule/policy. However, you can use the following AWS CLI command as an example:
aws rds modify-db-instance --db-instance-identifier <instance_id> --monitoring-interval <interval>
Replace
<instance_id><interval>Step-by-Step Guide for Remediation
To enable enhanced monitoring for your RDS DB instances or clusters as per the NIST CSF v1, follow these step-by-step instructions:
- 1.
Login to the AWS Management Console.
- 2.
Go to the Amazon RDS service.
- 3.
Select the appropriate region.
- 4.
Click on "DB instances" or "Clusters" from the left-hand menu, depending on whether you want to enable enhanced monitoring for individual instances or clusters.
- 5.
Choose the specific DB instance or cluster for which you want to enable enhanced monitoring.
- 6.
Click on the "Actions" button, and then select "Modify" from the dropdown list.
- 7.
In the "Modify DB Instance" or "Modify Cluster" page, scroll down to the "Monitoring" section.
- 8.
Check the box for "Enable enhanced monitoring".
- 9.
Specify the desired monitoring interval from the dropdown list (1, 5, 10, 15, 30, or 60 seconds).
- 10.
Review any other settings you want to modify, if applicable.
- 11.
Click on the "Modify" button to apply the changes.
- 12.
Wait for the modification to complete. This process may take a few minutes.
- 13.
Once the modification is completed, enhanced monitoring will be enabled for your RDS DB instance or cluster as per the NIST CSF v1.
Remember to repeat these steps for each DB instance or cluster that needs enhanced monitoring enabled.
Conclusion
Enabling enhanced monitoring for RDS DB instances and clusters aligns with the NIST Cybersecurity Framework (CSF) v1 requirements. By following the troubleshooting steps and step-by-step guide provided, you can effectively enable enhanced monitoring and ensure improved visibility and performance optimization for your RDS resources.