Control: 6 Enhanced monitoring should be configured for RDS DB instances and clusters
Description
This control checks whether enhanced monitoring is enabled for your RDS DB instances.
In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer.
Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU.
Remediation
For detailed instructions on how to enable Enhanced Monitoring for your DB instance, see Setting up for and enabling Enhanced Monitoring.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_rds_6Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_rds_6 --shareSQL
This control uses a named query:
(select arn as resource, case when enabled_cloudwatch_logs_exports is not null then 'ok' else 'alarm' end as status, case when enabled_cloudwatch_logs_exports is not null then title || ' enhanced monitoring enabled.' else title || ' enhanced monitoring not enabled.' end as reason , region, account_idfrom aws_rds_db_cluster)union(select arn as resource, case when class = 'db.m1.small' then 'skip' when enhanced_monitoring_resource_arn is not null then 'ok' else 'alarm' end as status, case when class = 'db.m1.small' then title || ' enhanced monitoring not supported.' when enhanced_monitoring_resource_arn is not null then title || ' enhanced monitoring enabled.' else title || ' enhanced monitoring not enabled.' end as reason , region, account_idfrom aws_rds_db_instance);