RDS.6: RDS lacks enhanced monitoring

What does AWS Security Hub RDS.6 check?

RDS.6 evaluates whether an RDS DB instance has Enhanced Monitoring enabled. It reports FAILED for any instance with MonitoringInterval set to 0, which is the default — meaning the OS-level monitoring agent was never turned on.

Why does RDS.6 matter?

Default CloudWatch metrics are sampled from the hypervisor: they confirm a database is busy but never explain why. Without Enhanced Monitoring you cannot see per-process CPU, swap pressure, IO wait, or per-device disk utilisation — so incidents become guesswork and teams over-provision to bigger instances rather than fixing the real cause. It is also the prerequisite for any OS-level CloudWatch alarm.

How do I fix RDS.6?

1. Create an IAM role once per account with the AWS-managed AmazonRDSEnhancedMonitoringRole policy attached.
2. Run modify-db-instance with --monitoring-interval (15 seconds is the production sweet spot, 60 for dev/test) and --monitoring-role-arn pointing at that role.
3. Verify the RDSOSMetrics log group starts receiving data, then bake the interval into your provisioning templates so new instances inherit it.

# Apply Enhanced Monitoring to every non-compliant RDS instance in the region.
for id in $(aws rds describe-db-instances \
  --query "DBInstances[?MonitoringInterval==\`0\`].DBInstanceIdentifier" \
  --output text); do
    aws rds modify-db-instance \
      --db-instance-identifier "$id" \
      --monitoring-interval 60 \
      --monitoring-role-arn arn:aws:iam::123456789012:role/rds-monitoring-role \
      --apply-immediately
done

# Verify — every row should now show a non-zero MonitoringInterval.
aws rds describe-db-instances \
  --query "DBInstances[].{Id:DBInstanceIdentifier,Interval:MonitoringInterval}" \
  --output table