RDS Cluster Critical Event Subscription

Overview

This check verifies that Amazon RDS event notification subscriptions are configured for database cluster events, specifically covering maintenance and failure event categories.

RDS event notifications alert you when important things happen to your database clusters, such as scheduled maintenance windows, failovers, or unexpected failures. Without these notifications, you might miss critical events that require your attention.

Risk

Without event subscriptions for critical events:

• Missed maintenance windows: You may not know when AWS is performing maintenance on your clusters
• Undetected failures: Database failovers or node failures could go unnoticed
• Increased downtime: Delayed awareness leads to longer mean time to recovery (MTTR)
• Data integrity concerns: Extended degraded states can cause replication lag and compromise data integrity

Remediation Steps

Prerequisites

You need:

• An SNS topic to receive notifications (you can create one during setup)
• Permission to create RDS event subscriptions

Required IAM permissions

Your IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:CreateEventSubscription",
        "rds:DescribeEventSubscriptions",
        "sns:ListTopics",
        "sns:CreateTopic",
        "sns:Subscribe"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Open the Amazon RDS console
2. In the left navigation pane, choose Event subscriptions
3. Click Create event subscription
4. Configure the subscription:
   • Name: Enter a descriptive name (e.g., rds-cluster-critical-events)
   • Target: Choose an existing SNS topic or select New email topic to create one
     • If creating a new topic, enter a topic name and email addresses to notify
   • Source type: Select Clusters
   • Event categories to include: Choose Select specific event categories, then check:
     • maintenance
     • failure
5. Click Create
6. If you created a new email topic, check your email and confirm the subscription

AWS CLI

First, ensure you have an SNS topic. If you need to create one:

aws sns create-topic \
    --name rds-cluster-alerts \
    --region us-east-1

Note the ARN returned (e.g., arn:aws:sns:us-east-1:123456789012:rds-cluster-alerts).

Subscribe an email address to the topic:

aws sns subscribe \
    --topic-arn arn:aws:sns:us-east-1:123456789012:rds-cluster-alerts \
    --protocol email \
    --notification-endpoint your-email@example.com \
    --region us-east-1

Then create the RDS event subscription:

aws rds create-event-subscription \
    --subscription-name rds-cluster-critical-events \
    --sns-topic-arn arn:aws:sns:us-east-1:123456789012:rds-cluster-alerts \
    --source-type db-cluster \
    --event-categories maintenance failure \
    --enabled \
    --region us-east-1

To monitor specific clusters only (optional), add the --source-ids parameter:

aws rds create-event-subscription \
    --subscription-name rds-cluster-critical-events \
    --sns-topic-arn arn:aws:sns:us-east-1:123456789012:rds-cluster-alerts \
    --source-type db-cluster \
    --source-ids my-cluster-1 my-cluster-2 \
    --event-categories maintenance failure \
    --enabled \
    --region us-east-1

CloudFormation

AWSTemplateFormatVersion: '2010-09-09'
Description: RDS Cluster Event Subscription for Critical Events

Parameters:
  SubscriptionName:
    Type: String
    Description: Name for the RDS event subscription
    Default: rds-cluster-critical-events

  SNSTopicArn:
    Type: String
    Description: ARN of the SNS topic for notifications

Resources:
  RDSClusterEventSubscription:
    Type: AWS::RDS::EventSubscription
    Properties:
      SubscriptionName: !Ref SubscriptionName
      SnsTopicArn: !Ref SNSTopicArn
      SourceType: db-cluster
      EventCategories:
        - maintenance
        - failure
      Enabled: true

Outputs:
  EventSubscriptionName:
    Description: Name of the created event subscription
    Value: !Ref RDSClusterEventSubscription

Deploy the stack:

aws cloudformation create-stack \
    --stack-name rds-cluster-event-subscription \
    --template-body file://template.yaml \
    --parameters \
        ParameterKey=SNSTopicArn,ParameterValue=arn:aws:sns:us-east-1:123456789012:rds-cluster-alerts \
    --region us-east-1

Terraform

variable "subscription_name" {
  description = "Name for the RDS event subscription"
  type        = string
  default     = "rds-cluster-critical-events"
}

variable "sns_topic_arn" {
  description = "ARN of the SNS topic for notifications"
  type        = string
}

resource "aws_db_event_subscription" "cluster_critical_events" {
  name             = var.subscription_name
  sns_topic        = var.sns_topic_arn
  source_type      = "db-cluster"
  event_categories = ["maintenance", "failure"]
  enabled          = true

  tags = {
    Name        = var.subscription_name
    Purpose     = "RDS cluster critical event notifications"
    ManagedBy   = "Terraform"
  }
}

output "event_subscription_id" {
  description = "The ID of the RDS event subscription"
  value       = aws_db_event_subscription.cluster_critical_events.id
}

output "event_subscription_arn" {
  description = "The ARN of the RDS event subscription"
  value       = aws_db_event_subscription.cluster_critical_events.arn
}

Apply the configuration:

terraform init
terraform plan -var="sns_topic_arn=arn:aws:sns:us-east-1:123456789012:rds-cluster-alerts"
terraform apply -var="sns_topic_arn=arn:aws:sns:us-east-1:123456789012:rds-cluster-alerts"

Verification

After creating the subscription:

1. Go to the RDS Event subscriptions page
2. Find your subscription in the list
3. Verify that:
   • Status shows active
   • Source type shows db-cluster
   • Event categories includes maintenance and failure

CLI verification

aws rds describe-event-subscriptions \
    --subscription-name rds-cluster-critical-events \
    --region us-east-1 \
    --query 'EventSubscriptionsList[0].{Name:CustSubscriptionId,Status:Status,SourceType:SourceType,Categories:EventCategoriesList}'

Expected output:

{
    "Name": "rds-cluster-critical-events",
    "Status": "active",
    "SourceType": "db-cluster",
    "Categories": ["maintenance", "failure"]
}

To list all event subscriptions:

aws rds describe-event-subscriptions \
    --region us-east-1 \
    --query 'EventSubscriptionsList[?SourceType==`db-cluster`]'

Additional Resources

• Subscribing to Amazon RDS event notification
• Amazon RDS event categories and messages
• AWS::RDS::EventSubscription CloudFormation documentation
• aws_db_event_subscription Terraform documentation

Notes

• SNS topic type: RDS does not support FIFO (first-in, first-out) SNS topics. Use standard topics only.
• Multiple subscriptions: You can create multiple subscriptions for different event categories or notification targets.
• Specific clusters: By default, the subscription monitors all clusters. Use source IDs to limit to specific clusters.
• Email confirmation: If using email notifications, recipients must confirm their subscription before receiving alerts.
• Cross-account: The SNS topic must be in the same AWS account as the RDS event subscription.
• Encryption: If your SNS topic uses server-side encryption (SSE), ensure RDS has permissions to access the KMS key.