RDS Parameter Group Event Subscription
Overview
This check ensures that you have set up notifications for changes to your RDS parameter groups. Parameter groups control important database settings like security configurations, logging, and performance options. Without monitoring these changes, you could miss important (or unauthorized) modifications to your databases.
Risk
When parameter group changes go unmonitored, you lose visibility into modifications that could affect your databases. An attacker or accidental change could:
- Lower TLS security requirements
- Disable database auditing
- Relax authentication settings
- Modify performance settings that impact availability
Setting up event notifications ensures your team is alerted immediately when parameter groups change.
Remediation Steps
Prerequisites
You need:
- AWS Console access with permissions to create RDS event subscriptions and SNS topics
- An email address (or other endpoint) to receive notifications
Required IAM permissions
Your IAM user or role needs these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:CreateEventSubscription",
"rds:DescribeEventSubscriptions",
"sns:CreateTopic",
"sns:Subscribe",
"sns:ListTopics"
],
"Resource": "*"
}
]
}
AWS Console Method
-
Create an SNS topic (if you do not already have one):
- Go to Amazon SNS in the AWS Console
- Click Topics in the left menu, then Create topic
- Select Standard (not FIFO - RDS does not support FIFO topics)
- Enter a name like
rds-parameter-group-alerts - Click Create topic
- Click Create subscription, choose Email, and enter your email address
- Confirm the subscription from your email inbox
-
Create the RDS event subscription:
- Go to Amazon RDS in the AWS Console
- Click Event subscriptions in the left menu
- Click Create event subscription
- Enter a name like
parameter-group-config-changes - Under Target, select your SNS topic
- Under Source type, select Parameter groups
- Under Event categories to include, select Configuration change (or leave as "All" for broader coverage)
- Make sure Enable subscription is checked
- Click Create
-
Verify the subscription:
- Back on the Event subscriptions page, confirm your new subscription shows Status: active
AWS CLI (optional)
Step 1: Create an SNS topic
aws sns create-topic \
--name rds-parameter-group-alerts \
--region us-east-1
Save the TopicArn from the output for the next steps.
Step 2: Subscribe to the topic
aws sns subscribe \
--topic-arn arn:aws:sns:us-east-1:<your-account-id>:rds-parameter-group-alerts \
--protocol email \
--notification-endpoint <your-email@example.com> \
--region us-east-1
Check your email and confirm the subscription.
Step 3: Create the RDS event subscription
aws rds create-event-subscription \
--subscription-name parameter-group-config-changes \
--sns-topic-arn arn:aws:sns:us-east-1:<your-account-id>:rds-parameter-group-alerts \
--source-type db-parameter-group \
--event-categories "configuration change" \
--enabled \
--region us-east-1
Verify the subscription:
aws rds describe-event-subscriptions \
--subscription-name parameter-group-config-changes \
--region us-east-1
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: RDS Event Subscription for Parameter Group Configuration Changes
Parameters:
SubscriptionName:
Type: String
Default: rds-parameter-group-events
Description: Name for the RDS event subscription
NotificationEmail:
Type: String
Description: Email address for notifications
Resources:
RDSEventsSNSTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: !Sub '${SubscriptionName}-topic'
DisplayName: RDS Parameter Group Events
RDSEventsSNSSubscription:
Type: AWS::SNS::Subscription
Properties:
TopicArn: !Ref RDSEventsSNSTopic
Protocol: email
Endpoint: !Ref NotificationEmail
RDSParameterGroupEventSubscription:
Type: AWS::RDS::EventSubscription
Properties:
SubscriptionName: !Ref SubscriptionName
SnsTopicArn: !Ref RDSEventsSNSTopic
SourceType: db-parameter-group
EventCategories:
- configuration change
Enabled: true
Outputs:
EventSubscriptionName:
Description: Name of the RDS event subscription
Value: !Ref RDSParameterGroupEventSubscription
SNSTopicArn:
Description: ARN of the SNS topic for notifications
Value: !Ref RDSEventsSNSTopic
Deploy the stack:
aws cloudformation create-stack \
--stack-name rds-parameter-group-events \
--template-body file://template.yaml \
--parameters ParameterKey=NotificationEmail,ParameterValue=<your-email@example.com> \
--region us-east-1
Terraform (optional)
variable "subscription_name" {
description = "Name for the RDS event subscription"
type = string
default = "rds-parameter-group-events"
}
variable "notification_email" {
description = "Email address for notifications"
type = string
}
resource "aws_sns_topic" "rds_events" {
name = "${var.subscription_name}-topic"
display_name = "RDS Parameter Group Events"
}
resource "aws_sns_topic_subscription" "email" {
topic_arn = aws_sns_topic.rds_events.arn
protocol = "email"
endpoint = var.notification_email
}
resource "aws_db_event_subscription" "parameter_group_events" {
name = var.subscription_name
sns_topic = aws_sns_topic.rds_events.arn
source_type = "db-parameter-group"
event_categories = ["configuration change"]
enabled = true
}
output "event_subscription_name" {
description = "Name of the RDS event subscription"
value = aws_db_event_subscription.parameter_group_events.name
}
output "sns_topic_arn" {
description = "ARN of the SNS topic for notifications"
value = aws_sns_topic.rds_events.arn
}
Deploy:
terraform init
terraform apply -var="notification_email=<your-email@example.com>"
Verification
After setting up the subscription:
- Go to RDS > Event subscriptions in the AWS Console
- Confirm your subscription shows Status: active
- Optionally, modify a test parameter group to trigger a notification and verify you receive the email
CLI verification
# List all RDS event subscriptions
aws rds describe-event-subscriptions \
--region us-east-1
# Check for parameter group subscriptions specifically
aws rds describe-event-subscriptions \
--region us-east-1 \
--query "EventSubscriptionsList[?SourceType=='db-parameter-group']"
Look for a subscription with:
SourceType:db-parameter-groupEnabled:trueEventCategoriesListcontainingconfiguration change(or empty for all categories)
Additional Resources
- Subscribing to Amazon RDS event notification
- Amazon RDS event categories and messages
- AWS::RDS::EventSubscription CloudFormation reference
Notes
- FIFO topics not supported: RDS does not support SNS FIFO topics. Use Standard topics only.
- Regional scope: Event subscriptions are regional. If you have RDS resources in multiple regions, create subscriptions in each region.
- Cost considerations: SNS and RDS event subscriptions have minimal costs, but high-volume notifications may incur SNS charges.
- Multiple subscriptions: You can create multiple subscriptions for different source types (instances, clusters, security groups, etc.) to the same or different SNS topics.