RDS Instance Enhanced Monitoring Enabled
Overview
This check verifies whether Amazon RDS database instances have Enhanced Monitoring enabled. Enhanced Monitoring provides real-time operating system metrics (CPU, memory, disk, and network) for your database instances, published to CloudWatch Logs.
Risk
Without Enhanced Monitoring, you lose visibility into the operating system running your database. This can lead to:
- Delayed detection of resource exhaustion (CPU spikes, memory pressure, disk I/O bottlenecks)
- Longer recovery times when performance issues occur
- Reduced forensic visibility during security investigations
- Missed early warning signs before outages or failovers
Remediation Steps
Prerequisites
You need:
- Access to the AWS Console with permissions to modify RDS instances and create IAM roles
- The name (identifier) of the RDS instance you want to update
IAM permissions required
To enable Enhanced Monitoring, you need these IAM permissions:
rds:ModifyDBInstancerds:DescribeDBInstancesiam:CreateRole(if creating a new monitoring role)iam:AttachRolePolicyiam:PassRole
AWS Console Method
- Open the Amazon RDS console
- In the left navigation, click Databases
- Select the database instance you want to modify
- Click the Modify button
- Scroll down to the Additional configuration section
- Find Monitoring and set Enhanced Monitoring to Enable
- Choose a Granularity (e.g., 60 seconds is a good starting point)
- For Monitoring Role, select:
- Default to let RDS create a role automatically, or
- An existing role with the
AmazonRDSEnhancedMonitoringRolepolicy
- Scroll to the bottom and click Continue
- Choose when to apply the change:
- Apply immediately for instant effect
- Apply during the next scheduled maintenance window to avoid any brief interruption
- Click Modify DB instance
AWS CLI (optional)
Step 1: Create an IAM role for Enhanced Monitoring (if needed)
First, create a trust policy file:
cat > trust-policy.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "monitoring.rds.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
Create the IAM role:
aws iam create-role \
--role-name rds-enhanced-monitoring-role \
--assume-role-policy-document file://trust-policy.json \
--region us-east-1
Attach the AWS managed policy:
aws iam attach-role-policy \
--role-name rds-enhanced-monitoring-role \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole \
--region us-east-1
Step 2: Get the role ARN
aws iam get-role \
--role-name rds-enhanced-monitoring-role \
--query 'Role.Arn' \
--output text \
--region us-east-1
Step 3: Enable Enhanced Monitoring on your RDS instance
Replace <your-db-instance-id> with your actual database identifier and <role-arn> with the ARN from Step 2:
aws rds modify-db-instance \
--db-instance-identifier <your-db-instance-id> \
--monitoring-interval 60 \
--monitoring-role-arn <role-arn> \
--apply-immediately \
--region us-east-1
Valid monitoring intervals: 0 (disabled), 1, 5, 10, 15, 30, or 60 seconds.
CloudFormation (optional)
This template creates the IAM role required for Enhanced Monitoring. After deploying, use the role ARN to enable Enhanced Monitoring via the Console or CLI.
AWSTemplateFormatVersion: '2010-09-09'
Description: IAM role for RDS Enhanced Monitoring
Resources:
RDSEnhancedMonitoringRole:
Type: AWS::IAM::Role
Properties:
RoleName: rds-enhanced-monitoring-role
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: monitoring.rds.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole
Outputs:
MonitoringRoleArn:
Description: ARN of the Enhanced Monitoring IAM role
Value: !GetAtt RDSEnhancedMonitoringRole.Arn
Export:
Name: RDSEnhancedMonitoringRoleArn
To deploy:
aws cloudformation deploy \
--template-file template.yaml \
--stack-name rds-enhanced-monitoring-role \
--capabilities CAPABILITY_NAMED_IAM \
--region us-east-1
After the stack deploys, retrieve the role ARN:
aws cloudformation describe-stacks \
--stack-name rds-enhanced-monitoring-role \
--query 'Stacks[0].Outputs[?OutputKey==`MonitoringRoleArn`].OutputValue' \
--output text \
--region us-east-1
Then enable Enhanced Monitoring on your RDS instance using the AWS CLI command shown above.
Terraform (optional)
This configuration creates an RDS instance with Enhanced Monitoring enabled:
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "db_instance_identifier" {
description = "The identifier of the RDS DB instance"
type = string
}
variable "monitoring_interval" {
description = "Enhanced Monitoring interval in seconds (0, 1, 5, 10, 15, 30, or 60)"
type = number
default = 60
}
# IAM role for Enhanced Monitoring
resource "aws_iam_role" "rds_enhanced_monitoring" {
name = "rds-enhanced-monitoring-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "monitoring.rds.amazonaws.com"
}
}
]
})
}
resource "aws_iam_role_policy_attachment" "rds_enhanced_monitoring" {
role = aws_iam_role.rds_enhanced_monitoring.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
}
# Example: RDS instance with Enhanced Monitoring enabled
resource "aws_db_instance" "example" {
identifier = var.db_instance_identifier
allocated_storage = 20
engine = "mysql"
engine_version = "8.0"
instance_class = "db.t3.micro"
username = "admin"
password = "change-me-immediately" # Use secrets manager in production
skip_final_snapshot = true
# Enhanced Monitoring configuration
monitoring_interval = var.monitoring_interval
monitoring_role_arn = aws_iam_role.rds_enhanced_monitoring.arn
depends_on = [aws_iam_role_policy_attachment.rds_enhanced_monitoring]
}
output "monitoring_role_arn" {
description = "ARN of the Enhanced Monitoring IAM role"
value = aws_iam_role.rds_enhanced_monitoring.arn
}
To enable on an existing RDS instance managed by Terraform, add or update these attributes:
resource "aws_db_instance" "existing" {
# ... existing configuration ...
monitoring_interval = 60
monitoring_role_arn = aws_iam_role.rds_enhanced_monitoring.arn
}
Verification
After enabling Enhanced Monitoring, verify it is working:
- Open the Amazon RDS console
- Click Databases and select your instance
- Click the Monitoring tab
- Look for Enhanced monitoring section with OS-level metrics
- You should see graphs for CPU, memory, file system, and network metrics
CLI verification
aws rds describe-db-instances \
--db-instance-identifier <your-db-instance-id> \
--query 'DBInstances[0].{MonitoringInterval:MonitoringInterval,MonitoringRoleArn:MonitoringRoleArn}' \
--region us-east-1
Expected output when Enhanced Monitoring is enabled:
{
"MonitoringInterval": 60,
"MonitoringRoleArn": "arn:aws:iam::123456789012:role/rds-enhanced-monitoring-role"
}
If MonitoringInterval is 0, Enhanced Monitoring is disabled.
Additional Resources
- Enhanced Monitoring in Amazon RDS
- Setting up and enabling Enhanced Monitoring
- Enhanced Monitoring metrics
- CloudWatch Logs for Enhanced Monitoring
Notes
- Cost consideration: Enhanced Monitoring metrics are sent to CloudWatch Logs, which may incur additional costs. The more frequent the granularity, the higher the cost.
- Granularity options: Valid intervals are 0 (disabled), 1, 5, 10, 15, 30, or 60 seconds. Start with 60 seconds unless you need finer granularity.
- No downtime: Enabling Enhanced Monitoring does not cause database downtime or restart.
- Aurora clusters: For Amazon Aurora, Enhanced Monitoring is enabled at the instance level, not the cluster level.
- Role reuse: You can use the same IAM role for all RDS instances in your account.