AWS Security Hub · RDS
RDS.22: RDS security-group event notifications
Written and reviewed by Emnode · Last reviewed
What does AWS Security Hub RDS.22 check?
RDS.22 checks for an AWS::RDS::EventSubscription listening on the db-security-group source type with the configuration change and failure categories. If at least one subscription exists in the account but none covers DB security group events, it reports FAILED.
Why does RDS.22 matter?
A DB security group is the network gate in front of a database — when its rules change, the set of who can reach that database changes with it. That is exactly the kind of event you want someone to learn about within seconds, not three weeks later in an incident review. Without a subscription the change happens silently in the RDS control plane, leaving only a CloudTrail line nobody watches in real time. It is a detective control; the value is the speed of your response when something goes wrong.
How do I fix RDS.22?
- Create an RDS event subscription with source type db-security-group covering configuration change and failure, pointed at a watched SNS topic.
- Confirm a test rule change produces a notification.
- Keep the subscription in IaC so the coverage persists.
Remediation script · bash
# One SNS topic, then one RDS subscription per source type with the required categories.
TOPIC=$(aws sns create-topic --name ops-pager --query TopicArn --output text)
aws rds create-event-subscription --subscription-name rds-instance-critical \
--sns-topic-arn "$TOPIC" --source-type db-instance \
--event-categories "maintenance" "configuration change" "failure" --enabled # RDS.20
aws rds create-event-subscription --subscription-name rds-cluster-critical \
--sns-topic-arn "$TOPIC" --source-type db-cluster \
--event-categories "maintenance" "failure" --enabled # RDS.19
aws rds create-event-subscription --subscription-name rds-pg-critical \
--sns-topic-arn "$TOPIC" --source-type db-parameter-group \
--event-categories "configuration change" --enabled # RDS.21
aws rds create-event-subscription --subscription-name rds-sg-critical \
--sns-topic-arn "$TOPIC" --source-type db-security-group \
--event-categories "configuration change" "failure" --enabled # RDS.22
# S3: EventBridge is the lowest-friction destination, no per-bucket policy needed.
aws s3api put-bucket-notification-configuration --bucket acme-customer-uploads \
--notification-configuration '{"EventBridgeConfiguration":{}}' # S3.11
# Then smoke-test the wire: reboot a non-prod DB and confirm the page lands.
aws rds reboot-db-instance --db-instance-identifier staging-postgres-1Full walkthrough (console steps, edge cases and verification) in the lesson Configure event notifications and subscriptions.
Is RDS.22 a false positive?
The control passes if there are no event subscriptions at all in the account — it only flags partial setups. So an account that has built instance-event alerting but not security-group alerting is exactly the one that fails RDS.22.
More RDS controls
- RDS.1 An RDS snapshot is shared publicly
- RDS.2 An RDS instance is publicly accessible from the internet
- RDS.3 RDS DB instances should be encrypted at rest
- RDS.4 RDS snapshots should be encrypted at rest
- RDS.5 RDS DB instances should use multiple AZs
- RDS.6 RDS lacks enhanced monitoring
- RDS.7 RDS clusters should have deletion protection
- RDS.8 RDS DB instances should have deletion protection
- RDS.9 RDS engine logs are not shipped to CloudWatch
- RDS.10 RDS relies on long-lived database passwords
- RDS.11 RDS instances should have automatic backups
- RDS.12 IAM auth should be configured for RDS clusters