🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 21 An RDS event notifications subscription should be configured for critical database parameter group events

Description

This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.

DBParameterGroup: ["configuration change"]

RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response. For additional information about RDS event notifications, see Using Using Amazon RDS event notification in the Amazon RDS User Guide.

Remediation

To subscribe to RDS database parameter group event notifications

  1. Open the Amazon RDS console

  2. In the navigation pane, choose Event subscriptions.

  3. Under Event subscriptions, choose Create event subscription.

  4. In the Create event subscription dialog, do the following:

    a. For Name, enter a name for the event notification subscription.

    b. For Send notifications to, choose an existing Amazon SNS ARN for an SNS topic. To use a new topic, choose create topic to enter the name of a topic and a list of recipients.

    c. For Source type, choose Parameter groups.

    d. Under Instances to include, select All parameter groups.

    e. Under Event categories to include, select Specific event categories. The control also passes if you select All event categories.

    f. Select configuration change.

    g. Choose Create.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_rds_21

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_rds_21 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when source_type <> 'db-parameter-group' then 'skip'
    when source_type = 'db-parameter-group' and enabled and event_categories_list @> '["maintenance", "failure"]' then 'ok'
    else 'alarm'
  end as status,
  case
    when source_type <> 'db-parameter-group' then cust_subscription_id || ' event subscription of ' || source_type || ' type.'
    when source_type = 'db-parameter-group' and enabled and event_categories_list @> '["configuration change"]' then cust_subscription_id || ' event subscription enabled for critical database parameter group events.'
    else cust_subscription_id || ' event subscription missing critical database parameter group events.'
  end as reason
  , region, account_id
from
  aws_rds_db_event_subscription;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = application_monitoring
foundational_security_item_id = rds_21
plugin = aws
service = AWS/RDS