RDS Security Group Event Subscription
Overview
This check verifies that you have an RDS event subscription configured to monitor database security group events. When enabled, AWS sends notifications whenever security group configurations change or fail, helping you stay aware of changes that could affect database access.
Risk
Without event subscriptions for security group changes, you may miss:
- Unauthorized access attempts: Security group rule changes could expose your databases to the internet or untrusted networks without your knowledge
- Configuration drift: Changes made outside your normal change management process go undetected
- Failure notifications: Issues with security group configurations that could affect database availability
These visibility gaps slow incident response and can lead to prolonged security exposures.
Remediation Steps
Prerequisites
You need:
- AWS Console access with permissions to create RDS event subscriptions
- An SNS topic to receive the notifications (you can create one during setup)
Required IAM permissions
To create RDS event subscriptions, your IAM user or role needs these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:CreateEventSubscription",
"rds:DescribeEventSubscriptions",
"sns:ListTopics",
"sns:CreateTopic",
"sns:Subscribe"
],
"Resource": "*"
}
]
}
AWS Console Method
- Open the Amazon RDS console in the us-east-1 region
- In the left navigation pane, click Event subscriptions
- Click Create event subscription
- Configure the subscription:
- Name: Enter a descriptive name (e.g.,
rds-security-group-events) - Target: Select an existing SNS topic or create a new one
- Source type: Select Security groups
- Event categories: Check both configuration change and failure
- Instances to include: Leave as "All security groups" to monitor all
- Name: Enter a descriptive name (e.g.,
- Click Create
After creation, verify the subscription shows as "active" in the Event subscriptions list.
AWS CLI (optional)
First, ensure you have an SNS topic. If you need to create one:
aws sns create-topic \
--name rds-security-events \
--region us-east-1
Note the TopicArn from the output (e.g., arn:aws:sns:us-east-1:123456789012:rds-security-events).
Create the event subscription:
aws rds create-event-subscription \
--subscription-name rds-security-group-events \
--sns-topic-arn arn:aws:sns:us-east-1:123456789012:rds-security-events \
--source-type db-security-group \
--event-categories "configuration change" "failure" \
--enabled \
--region us-east-1
Replace 123456789012 with your AWS account ID.
To verify the subscription was created:
aws rds describe-event-subscriptions \
--subscription-name rds-security-group-events \
--region us-east-1
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: RDS Event Subscription for DB Security Group Events
Parameters:
SubscriptionName:
Type: String
Description: Name for the RDS event subscription
Default: rds-security-group-events
SNSTopicArn:
Type: String
Description: ARN of the SNS topic to receive notifications
Resources:
RDSSecurityGroupEventSubscription:
Type: AWS::RDS::EventSubscription
Properties:
SubscriptionName: !Ref SubscriptionName
SnsTopicArn: !Ref SNSTopicArn
SourceType: db-security-group
EventCategories:
- configuration change
- failure
Enabled: true
Outputs:
SubscriptionArn:
Description: ARN of the created event subscription
Value: !Ref RDSSecurityGroupEventSubscription
Deploy with:
aws cloudformation deploy \
--template-file template.yaml \
--stack-name rds-security-group-event-subscription \
--parameter-overrides SNSTopicArn=arn:aws:sns:us-east-1:123456789012:rds-security-events \
--region us-east-1
Terraform (optional)
# RDS Event Subscription for DB Security Group Events
variable "subscription_name" {
description = "Name for the RDS event subscription"
type = string
default = "rds-security-group-events"
}
variable "sns_topic_arn" {
description = "ARN of the SNS topic to receive notifications"
type = string
}
resource "aws_db_event_subscription" "security_group_events" {
name = var.subscription_name
sns_topic = var.sns_topic_arn
source_type = "db-security-group"
event_categories = ["configuration change", "failure"]
enabled = true
tags = {
Purpose = "Security monitoring for RDS security groups"
}
}
output "subscription_arn" {
description = "ARN of the created event subscription"
value = aws_db_event_subscription.security_group_events.arn
}
Apply with:
terraform init
terraform apply -var="sns_topic_arn=arn:aws:sns:us-east-1:123456789012:rds-security-events"
Verification
To confirm the remediation was successful:
- In the RDS console, go to Event subscriptions
- Find your subscription and verify:
- Status shows active
- Source type is db-security-group
- Event categories include configuration change and failure
CLI verification
aws rds describe-event-subscriptions \
--subscription-name rds-security-group-events \
--query 'EventSubscriptionsList[0].{Status:Status,SourceType:SourceType,EventCategories:EventCategoriesList}' \
--region us-east-1
Expected output:
{
"Status": "active",
"SourceType": "db-security-group",
"EventCategories": [
"configuration change",
"failure"
]
}
Additional Resources
- Subscribing to Amazon RDS event notification
- Amazon RDS event categories and event messages
- AWS::RDS::EventSubscription CloudFormation reference
- Terraform aws_db_event_subscription resource
Notes
- SNS topic type: RDS does not support FIFO (first-in, first-out) SNS topics. Use a standard SNS topic for event subscriptions.
- Multiple subscriptions: You can create separate subscriptions for different source types (instances, clusters, snapshots, etc.) to route notifications to different teams.
- Cost considerations: SNS notifications incur standard SNS charges. For high-volume environments, consider filtering or aggregating notifications.
- DB security groups vs. VPC security groups: This check applies to classic DB security groups. For VPC-based RDS instances, security group changes are managed through EC2 VPC security groups, which have their own monitoring mechanisms.