RDS Instance Critical Event Subscription
Overview
This check verifies that Amazon RDS event notification subscriptions are configured to capture critical database instance events, specifically: maintenance, configuration change, and failure events.
Event subscriptions send notifications to an SNS topic when important things happen to your RDS databases, keeping your team informed about issues that may require attention.
Risk
Without event subscriptions for critical events, you may miss important notifications about:
- Maintenance windows - Scheduled updates or patches that could affect availability
- Configuration changes - Modifications to database settings (intentional or accidental)
- Failures - Database outages, connection issues, or system errors
This lack of visibility can lead to delayed incident response, extended downtime, and undetected misconfigurations.
Remediation Steps
Prerequisites
You need:
- AWS Console access with permissions to manage RDS and SNS
- An email address or endpoint to receive notifications
Required IAM permissions
Your IAM user or role needs these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:CreateEventSubscription",
"rds:DescribeEventSubscriptions",
"sns:CreateTopic",
"sns:Subscribe",
"sns:SetTopicAttributes"
],
"Resource": "*"
}
]
}
AWS Console Method
Step 1: Create an SNS topic (if you don't have one)
- Open the Amazon SNS console
- Click Topics in the left menu, then Create topic
- Choose Standard type (RDS does not support FIFO topics)
- Enter a name like
rds-instance-critical-events - Click Create topic
- On the topic page, click Create subscription
- Choose Email as the protocol and enter your email address
- Click Create subscription
- Check your email and confirm the subscription
Step 2: Create the RDS event subscription
- Open the Amazon RDS console
- Click Event subscriptions in the left menu
- Click Create event subscription
- Enter a name like
rds-instance-critical-events - For Target, select New email topic or ARN (if using existing SNS topic)
- Under Source:
- Set Source type to Instances
- Choose All instances or select specific instances
- Under Event categories to include, select:
- maintenance
- configuration change
- failure
- Click Create
AWS CLI (optional)
Create SNS topic:
aws sns create-topic \
--name rds-instance-critical-events \
--region us-east-1
Note the TopicArn from the output.
Subscribe to the topic:
aws sns subscribe \
--topic-arn arn:aws:sns:us-east-1:<account-id>:rds-instance-critical-events \
--protocol email \
--notification-endpoint your-email@example.com \
--region us-east-1
Create the RDS event subscription:
aws rds create-event-subscription \
--subscription-name rds-instance-critical-events \
--sns-topic-arn arn:aws:sns:us-east-1:<account-id>:rds-instance-critical-events \
--source-type db-instance \
--event-categories "maintenance" "configuration change" "failure" \
--enabled \
--region us-east-1
Replace <account-id> with your AWS account ID.
CloudFormation (optional)
This template creates an SNS topic, email subscription, and RDS event subscription for critical instance events.
AWSTemplateFormatVersion: '2010-09-09'
Description: RDS Instance Critical Event Subscription
Parameters:
SubscriptionName:
Type: String
Description: Name for the RDS event subscription
Default: rds-instance-critical-events
NotificationEmail:
Type: String
Description: Email address to receive notifications
Resources:
RDSEventsTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: !Sub '${SubscriptionName}-topic'
DisplayName: RDS Instance Critical Events
RDSEventsTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- !Ref RDSEventsTopic
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowRDSToPublish
Effect: Allow
Principal:
Service: rds.amazonaws.com
Action: sns:Publish
Resource: !Ref RDSEventsTopic
EmailSubscription:
Type: AWS::SNS::Subscription
Properties:
TopicArn: !Ref RDSEventsTopic
Protocol: email
Endpoint: !Ref NotificationEmail
RDSInstanceEventSubscription:
Type: AWS::RDS::EventSubscription
Properties:
SubscriptionName: !Ref SubscriptionName
SnsTopicArn: !Ref RDSEventsTopic
SourceType: db-instance
EventCategories:
- maintenance
- configuration change
- failure
Enabled: true
Outputs:
SubscriptionName:
Description: Name of the RDS event subscription
Value: !Ref RDSInstanceEventSubscription
SNSTopicArn:
Description: ARN of the SNS topic for notifications
Value: !Ref RDSEventsTopic
Deploy the stack:
aws cloudformation deploy \
--template-file rds-event-subscription.yaml \
--stack-name rds-instance-critical-events \
--parameter-overrides NotificationEmail=your-email@example.com \
--region us-east-1
Terraform (optional)
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
variable "subscription_name" {
description = "Name for the RDS event subscription"
type = string
default = "rds-instance-critical-events"
}
variable "notification_email" {
description = "Email address to receive notifications"
type = string
}
# SNS Topic for RDS Events
resource "aws_sns_topic" "rds_events" {
name = "${var.subscription_name}-topic"
display_name = "RDS Instance Critical Events"
}
# SNS Topic Policy to allow RDS to publish
resource "aws_sns_topic_policy" "rds_events" {
arn = aws_sns_topic.rds_events.arn
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "AllowRDSToPublish"
Effect = "Allow"
Principal = {
Service = "rds.amazonaws.com"
}
Action = "sns:Publish"
Resource = aws_sns_topic.rds_events.arn
}
]
})
}
# Email subscription to SNS topic
resource "aws_sns_topic_subscription" "email" {
topic_arn = aws_sns_topic.rds_events.arn
protocol = "email"
endpoint = var.notification_email
}
# RDS Event Subscription for critical instance events
resource "aws_db_event_subscription" "instance_critical" {
name = var.subscription_name
sns_topic = aws_sns_topic.rds_events.arn
source_type = "db-instance"
event_categories = [
"maintenance",
"configuration change",
"failure"
]
enabled = true
}
output "subscription_name" {
description = "Name of the RDS event subscription"
value = aws_db_event_subscription.instance_critical.name
}
output "sns_topic_arn" {
description = "ARN of the SNS topic for notifications"
value = aws_sns_topic.rds_events.arn
}
Apply the configuration:
terraform init
terraform apply -var="notification_email=your-email@example.com"
Verification
After creating the subscription:
- Go to RDS > Event subscriptions in the AWS Console
- Confirm your subscription shows Status: active
- Verify the event categories include maintenance, configuration change, and failure
- Check your email for a test notification (you may need to trigger a test event)
CLI verification
aws rds describe-event-subscriptions \
--subscription-name rds-instance-critical-events \
--region us-east-1 \
--query 'EventSubscriptionsList[0].{Name:CustSubscriptionId,Status:Status,SourceType:SourceType,Categories:EventCategoriesList}'
Expected output shows Status: active and the three event categories.
Additional Resources
- Subscribing to Amazon RDS event notification
- Amazon RDS event categories and messages
- AWS::RDS::EventSubscription (CloudFormation)
- aws_db_event_subscription (Terraform)
Notes
- FIFO topics not supported: RDS event subscriptions only work with standard SNS topics, not FIFO topics.
- Regional scope: Event subscriptions are regional. If you have RDS instances in multiple regions, create subscriptions in each region.
- Multiple subscriptions: You can create multiple subscriptions with different event categories or targeting different SNS topics for routing to different teams.
- Cost: SNS notifications incur standard SNS charges. For high-volume environments, consider the notification frequency.
- Email confirmation: SNS email subscriptions require confirmation. Check your spam folder if you don't receive the confirmation email.