AWS Security Hub · RDS
RDS.20: RDS instance event notification subscriptions
Written and reviewed by Emnode · Last reviewed
What does AWS Security Hub RDS.20 check?
RDS.20 is a conditional, change-triggered check on AWS::RDS::EventSubscription. It evaluates whether an existing subscription for the db-instance source type listens for the maintenance, configuration change, and failure categories. It passes if no subscriptions exist at all, and reports FAILED when an instance subscription exists but omits any of those three categories.
Why does RDS.20 matter?
A misconfigured subscription gives a false sense of safety. A team that wired up an instance subscription for availability events but left off failure will believe they are covered, then discover during an outage that the page never fired. RDS.20 is not "do you have monitoring?" — it is "if you set monitoring up, did you wire the categories that correspond to real incidents into it?"
How do I fix RDS.20?
- Identify the existing db-instance event subscription.
- Update or recreate it so its event categories include maintenance, configuration change, and failure.
- Confirm a test event reaches the on-call destination.
- Encode the full category list in IaC so the coverage cannot silently narrow.
Remediation script · bash
# One SNS topic, then one RDS subscription per source type with the required categories.
TOPIC=$(aws sns create-topic --name ops-pager --query TopicArn --output text)
aws rds create-event-subscription --subscription-name rds-instance-critical \
--sns-topic-arn "$TOPIC" --source-type db-instance \
--event-categories "maintenance" "configuration change" "failure" --enabled # RDS.20
aws rds create-event-subscription --subscription-name rds-cluster-critical \
--sns-topic-arn "$TOPIC" --source-type db-cluster \
--event-categories "maintenance" "failure" --enabled # RDS.19
aws rds create-event-subscription --subscription-name rds-pg-critical \
--sns-topic-arn "$TOPIC" --source-type db-parameter-group \
--event-categories "configuration change" --enabled # RDS.21
aws rds create-event-subscription --subscription-name rds-sg-critical \
--sns-topic-arn "$TOPIC" --source-type db-security-group \
--event-categories "configuration change" "failure" --enabled # RDS.22
# S3: EventBridge is the lowest-friction destination, no per-bucket policy needed.
aws s3api put-bucket-notification-configuration --bucket acme-customer-uploads \
--notification-configuration '{"EventBridgeConfiguration":{}}' # S3.11
# Then smoke-test the wire: reboot a non-prod DB and confirm the page lands.
aws rds reboot-db-instance --db-instance-identifier staging-postgres-1Full walkthrough (console steps, edge cases and verification) in the lesson Configure event notifications and subscriptions.
Is RDS.20 a false positive?
An account with no RDS event subscriptions at all passes RDS.20 by default — the control only fires once a subscription exists but is missing required categories, so "having alerts" is exactly when the gap appears.
More RDS controls
- RDS.1 An RDS snapshot is shared publicly
- RDS.2 An RDS instance is publicly accessible from the internet
- RDS.3 RDS DB instances should be encrypted at rest
- RDS.4 RDS snapshots should be encrypted at rest
- RDS.5 RDS DB instances should use multiple AZs
- RDS.6 RDS lacks enhanced monitoring
- RDS.7 RDS clusters should have deletion protection
- RDS.8 RDS DB instances should have deletion protection
- RDS.9 RDS engine logs are not shipped to CloudWatch
- RDS.10 RDS relies on long-lived database passwords
- RDS.11 RDS instances should have automatic backups
- RDS.12 IAM auth should be configured for RDS clusters