turbot/steampipe-mod-aws-compliance

Control: An RDS event notifications subscription should be configured for critical database instance events

Description

This control checks whether an AWS RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.rds_db_instance_events_subscription

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.rds_db_instance_events_subscription --share

SQL

This control uses a named query:

select
arn as resource,
case
when source_type <> 'db-instance' then 'skip'
when source_type = 'db-instance' and enabled and event_categories_list @> '["failure", "maintenance", "configuration change"]' then 'ok'
else 'alarm'
end as status,
case
when source_type <> 'db-instance' then cust_subscription_id || ' event subscription of ' || source_type || ' type.'
when source_type like 'db-instance' and enabled and event_categories_list @> '["failure", "maintenance", "configuration change"]' then cust_subscription_id || ' event subscription enabled for critical instance events.'
else cust_subscription_id || ' event subscription missing critical instance events.'
end as reason
, region, account_id
from
aws_rds_db_event_subscription;

Tags