Control: An RDS event notifications subscription should be configured for critical database parameter group events
Description
This control checks whether an AWS RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.rds_db_parameter_group_events_subscriptionSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.rds_db_parameter_group_events_subscription --shareSQL
This control uses a named query:
select arn as resource, case when source_type <> 'db-parameter-group' then 'skip' when source_type = 'db-parameter-group' and enabled and event_categories_list @> '["maintenance", "failure"]' then 'ok' else 'alarm' end as status, case when source_type <> 'db-parameter-group' then cust_subscription_id || ' event subscription of ' || source_type || ' type.' when source_type = 'db-parameter-group' and enabled and event_categories_list @> '["configuration change"]' then cust_subscription_id || ' event subscription enabled for critical database parameter group events.' else cust_subscription_id || ' event subscription missing critical database parameter group events.' end as reason , region, account_idfrom aws_rds_db_event_subscription;