Compliance

Enable RDS Enhanced Monitoring

Security Hub RDS.6 — default CloudWatch shows hypervisor-level metrics. Enhanced Monitoring exposes OS-level CPU, memory, and disk granularity.

10 min·10 sections·AWS

Last reviewed 27 May 2026

Remediates AWS Security Hub: RDS.6

Enhanced Monitoring: the basics

What does it actually mean for an RDS instance to lack Enhanced Monitoring?

By default, an RDS instance ships a handful of metrics to CloudWatch every 60 seconds: CPUUtilization, FreeableMemory, FreeStorageSpace, ReadIOPS/WriteIOPS, NetworkReceiveThroughput, and a few more. These come from outside the guest — the hypervisor measures them, not the OS. They tell you the box is busy. They don't tell you why.

Enhanced Monitoring is a separate feature that runs an agent inside the database host, scrapes /proc-style OS metrics, and streams them to CloudWatch Logs at 1, 5, 10, 15, 30, or 60-second intervals. You get per-process CPU and memory, IO wait, swap, load average, individual disk device utilisation — the kind of view you'd get from top, iostat, and vmstat on a normal Linux host.

Security Hub control RDS.6 fails any RDS instance with MonitoringInterval = 0, which is the default for instances created without explicitly opting in. The control is a fail-by-omission: nobody chose to leave it off, it just was never turned on.

In this lesson you'll learn the difference between default CloudWatch metrics and Enhanced Monitoring, when the extra granularity actually pays for itself (and when it doesn't), how to pick an interval that doesn't blow up your CloudWatch Logs bill, and how to flip it on safely with the right IAM role attached. You'll see real CLI investigation and the exact modify-db-instance call to remediate the finding.

Fun fact

The mystery 4am CPU spike

A team chased a recurring 4am CPU spike on their production Postgres for two months. Default CloudWatch showed CPU pinned at 95% for exactly 11 minutes, then back to baseline. Nothing in the slow-query log, no application traffic. They finally enabled Enhanced Monitoring at 5-second resolution and saw it immediately: autovacuum on a 400GB append-only table, kicked off by the daily stats threshold. One tuning parameter — autovacuum_vacuum_scale_factor — and the spike vanished. Two months of guessing, ten minutes of OS-level metrics.

Enabling Enhanced Monitoring in action

Marco is the database lead at a fintech. Security Hub fires RDS.6 against their primary Postgres instance — db-prod-payments — and he needs to clear it before the next SOC 2 audit window closes.

Before flipping the switch he wants to know the current state and the cost implication. Enhanced Monitoring streams to CloudWatch Logs at roughly $0.50/GB ingest; at 1-second intervals on a busy DB that's not free. He needs to pick the right interval, not just the cheapest.

He starts by checking the current monitoring configuration on the instance.

First, confirm the finding — check MonitoringInterval on the flagged instance.

$ aws rds describe-db-instances --db-instance-identifier db-prod-payments --query "DBInstances[0].{Id:DBInstanceIdentifier,Class:DBInstanceClass,Interval:MonitoringInterval,RoleArn:MonitoringRoleArn,PI:PerformanceInsightsEnabled}" --output table

┌────────────────────┬──────────────┬──────────┬──────────┬──────┐

│ Id │ Class │ Interval │ RoleArn │ PI │

├────────────────────┼──────────────┼──────────┼──────────┼──────┤

│ db-prod-payments │ db.r6g.2xl │ 0 │ None │ True │

└────────────────────┴──────────────┴──────────┴──────────┴──────┘

# Interval=0 means Enhanced Monitoring is off. Performance Insights is on — useful but separate.

RDS.6 confirmed — MonitoringInterval is 0 and no monitoring role is attached.

Now enable it at 15-second resolution for production. The monitoring role is a one-time IAM setup — re-use it across every RDS instance in the account.

$ aws rds modify-db-instance --db-instance-identifier db-prod-payments --monitoring-interval 15 --monitoring-role-arn arn:aws:iam::123456789012:role/rds-monitoring-role --apply-immediately

{

"DBInstance": {

"DBInstanceIdentifier": "db-prod-payments",

"DBInstanceStatus": "configuring-enhanced-monitoring",

"MonitoringInterval": 15,

"MonitoringRoleArn": "arn:aws:iam::123456789012:role/rds-monitoring-role"

}

# No restart, no failover. RDSOSMetrics log group starts receiving data within ~2 minutes.

Enhanced Monitoring enabled in-place. The change is online — no downtime.

Enhanced Monitoring under the hooddeep dive

Default CloudWatch metrics for RDS are emitted by the Nitro hypervisor — it sees the VM as a black box and reports what the host sees: CPU time charged to the VM, network bytes through the ENI, EBS volume IOPS at the block layer. From the guest's perspective it's invisible; nothing runs inside the database host to produce these metrics.

Enhanced Monitoring runs a small CloudWatch Logs agent inside the DB host (the same agent AWS manages for you on every RDS instance). It samples /proc, /sys, and the IO subsystem at your chosen interval and pushes a JSON document into the RDSOSMetrics log group. Each document includes per-process CPU/memory, swap usage, load average, IO wait, and per-device disk stats — the same fields you'd get from running top -b, vmstat, and iostat -x on a normal Linux box.

Pricing is straightforward but easy to underestimate: you pay CloudWatch Logs ingest (~~$0.50/GB) and storage (~~$0.03/GB-month) on the volume of OS metrics, which scales linearly with the inverse of the interval. A 1-second interval on a busy r6g.2xlarge can produce several GB per day. 60-second intervals are essentially free; 15 seconds is the typical production sweet spot; 1 second is for active troubleshooting, not steady state.

# The IAM role RDS needs to push OS metrics into CloudWatch Logs.
# AWS provides a managed policy — you just create the role and attach it.
aws iam create-role \
  --role-name rds-monitoring-role \
  --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"monitoring.rds.amazonaws.com"},"Action":"sts:AssumeRole"}]}'

aws iam attach-role-policy \
  --role-name rds-monitoring-role \
  --policy-arn arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole

What is the impact of running RDS without Enhanced Monitoring?

The direct impact is diagnostic blindness. When a latency spike happens at 3am, default CloudWatch tells you CPU went to 90% and that's it. You can't see whether it was a vacuum, a checkpointer, a runaway query, or backup IO competing for the disk — all of those look identical at the hypervisor layer. Without OS-level visibility most database incidents end up being guess-and-check, which means longer MTTR and more pages.

The second-order impact is over-provisioning. Teams that can't see what's actually consuming CPU and memory tend to throw bigger instances at the problem. "It might be memory pressure, let's go up a tier" is a $400/month fix for a problem that Enhanced Monitoring would have solved with a config change. Right-sizing decisions made without OS metrics are decisions made blind.

The compliance impact is concrete: RDS.6 sits in the AWS Foundational Security Best Practices and is one of the checks PCI DSS and HIPAA-aligned reviewers expect to see passing. A failed RDS.6 on a production database doesn't break the audit by itself, but it's the kind of finding that turns into a written remediation requirement with a deadline.

Enhanced Monitoring is also the prerequisite for several useful CloudWatch alarms — IO wait sustained above 20%, swap-in rate above zero, per-disk queue depth — none of which can be alarmed on without it. Without OS metrics, you're alarming on symptoms, not causes.

How do you enable Enhanced Monitoring without blowing up the bill?

Enabling Enhanced Monitoring is a four-step loop. The order matters — interval choice and IAM setup come before flipping the switch, audit and alarming come after.

1. Inventory which instances are non-compliant

Run describe-db-instances across every region and filter for MonitoringInterval=0. Sort by DBInstanceClass — bigger instances get higher priority because they're typically prod, and because they have the most useful OS-level signal to surface. Stage your remediation; you don't need to flip every dev DB at the same time as prod.

2. Create the monitoring role once, reuse everywhere

RDS needs an IAM role with the AWS-managed AmazonRDSEnhancedMonitoringRole policy attached. Create it once per account, name it predictably (rds-monitoring-role is the convention), and reference its ARN in every modify-db-instance call. Don't create one per instance — that's a pointless IAM explosion.

3. Pick the interval based on workload, not the cheapest default

60 seconds for dev/test (essentially free, still satisfies RDS.6). 15 seconds for steady-state production — the sweet spot between cost and resolution. 1-5 seconds only when you're actively troubleshooting; turn it back down to 15 once the incident is closed. Don't leave 1-second on a fleet of busy DBs unless you've budgeted for the CloudWatch Logs spend.

4. Pair it with Performance Insights and alarms

Enhanced Monitoring shows you what the OS sees; Performance Insights shows you what the database engine sees — query-level wait events, top SQL by load, blocking sessions. They're complementary, not redundant. PI is free for 7-day retention. Once both are on, wire up alarms on IO wait, swap usage, and DB load — that's the value Enhanced Monitoring unlocks.

# Apply Enhanced Monitoring to every non-compliant RDS instance in the region.
for id in $(aws rds describe-db-instances \
  --query "DBInstances[?MonitoringInterval==\`0\`].DBInstanceIdentifier" \
  --output text); do
    aws rds modify-db-instance \
      --db-instance-identifier "$id" \
      --monitoring-interval 60 \
      --monitoring-role-arn arn:aws:iam::123456789012:role/rds-monitoring-role \
      --apply-immediately
done

# Verify — every row should now show a non-zero MonitoringInterval.
aws rds describe-db-instances \
  --query "DBInstances[].{Id:DBInstanceIdentifier,Interval:MonitoringInterval}" \
  --output table

Quick quiz

Question 1 of 5

You've cleared RDS.6 on a production Postgres instance by enabling Enhanced Monitoring at 15-second intervals. Three weeks later finance pings you about a $900/month spike on CloudWatch Logs. What's the most likely cause?

Keep learning

Dig deeper into RDS observability and the controls around it.

You've completed Enable RDS Enhanced Monitoring. You can now tell the difference between hypervisor and OS-level metrics, pick an interval that satisfies RDS.6 without burning the CloudWatch Logs budget, and pair Enhanced Monitoring with Performance Insights for full-stack database visibility. The next time RDS.6 shows up in a Security Hub digest, you'll have a four-step loop ready to run.

Back to the library

RDS.6 Enhanced Monitoring: what it means for cost and operational visibility

A small, interval-driven CloudWatch Logs charge that buys OS-level diagnostic depth — and a direct compliance tick

Amazon RDS ships basic performance metrics from outside the database host at no extra charge. What it doesn't give you by default is visibility into what's happening inside the OS — which process is consuming CPU, whether memory pressure is spilling to swap, or why disk IO is spiking. Enhanced Monitoring fills that gap by running an agent inside the database host and streaming OS-level metrics to CloudWatch Logs. Security Hub flags databases that lack it as a failing control under RDS.6.

The cost of Enhanced Monitoring is a function of one variable you control: the polling interval. A 60-second interval on any instance size is essentially free — the CloudWatch Logs volume is negligible. A 1-second interval on a large, busy database can produce several gigabytes of logs per day at roughly $0.50/GB ingest, which adds up fast across a fleet. The finance question this control surfaces isn't whether to enable it — RDS.6 compliance is non-negotiable for SOC 2 and HIPAA-aligned reviews — it's what interval to set for each tier of database to pass the control at the lowest justified cost.

The right framing is a tiering model: production-critical databases warrant 15-second intervals for genuine diagnostic value, dev and test instances can sit at 60 seconds and satisfy the control for near-zero spend. The cost exposure from Enhanced Monitoring comes almost entirely from high-frequency intervals left running on large fleet databases after an incident closes — that's where the CloudWatch Logs bill surprises happen.

This lesson is for the finance partner who wants to understand why RDS.6 is a compliance requirement, what the actual spend driver is (CloudWatch Logs ingest, scaled by interval), and how to work with engineering on an interval tiering policy that satisfies the control across every environment without generating unexpected log costs. You'll leave with the cost model — essentially a one-variable formula — and the governance approach that prevents high-frequency intervals from silently accumulating charges after incidents close.

Fun fact

The mystery 4am CPU spike

How a finance partner approaches the RDS.6 remediation conversation

Dana is the finance partner reviewing the security findings before the SOC 2 audit closes. RDS.6 is flagged across fourteen databases — all showing MonitoringInterval=0. Engineering wants to bulk-enable Enhanced Monitoring and move on. Dana's job is to make sure the remediation doesn't create a new CloudWatch Logs cost surprise.

She pulls the current CloudWatch Logs bill alongside the RDS instance list. The fourteen databases span three tiers: four large production databases (r6g.2xlarge or bigger), six medium production instances, and four dev/test databases. Dana works with the database lead to agree on an interval policy before anything gets enabled: 15 seconds for the four large production instances, 30 seconds for the medium-tier production databases, and 60 seconds for dev/test. She models the incremental CloudWatch Logs spend for each tier — the 15-second group is the only one with a material cost; the rest are negligible.

The result is a remediation plan that clears RDS.6 on all fourteen databases and carries a known, pre-approved incremental monthly cost. Dana marks the intervals in the cost tracking sheet and flags: if any database is temporarily dropped to 1-5 second intervals for troubleshooting, it needs to be reverted within 48 hours or approved as a budget change. That one standing rule is what prevents the billing surprises.

The cost of not having Enhanced Monitoring — and the cost risk of enabling it carelessly

Without Enhanced Monitoring, incidents take longer to diagnose. Longer incidents mean more engineering hours at incident rates, more business disruption, and more customer impact. But the most direct finance-visible consequence is what happens after those incidents: teams that can't see OS-level metrics tend to over-provision as a hedge. A database that looks like a CPU problem at the hypervisor layer might simply be running autovacuum on a large table — but without OS metrics you can't know that, so the reflex is to go up a tier. A single unnecessary instance-class upgrade on an r6g.2xlarge is several hundred dollars a month in perpetuity.

On the compliance side, a failing RDS.6 in a SOC 2 or HIPAA-aligned review environment is a written finding with a remediation deadline. That isn't abstract risk — audit remediation cycles consume engineering time, and a recurrent finding can delay certification. RDS.6 is straightforward enough to fix that a sustained failure reflects a governance gap more than a technical one.

The cost risk from Enhanced Monitoring itself is also worth naming. It's entirely driven by interval selection. Sixty-second intervals add virtually nothing to the CloudWatch Logs bill on any fleet. But 1-second intervals on a large database during active troubleshooting can ingest several gigabytes of logs per day per instance. Left running across a fleet, that's a meaningful, visible cost anomaly — and it's the kind of cost that appears without any deliberate decision because someone forgot to revert after an incident closed.

The finance position on this control is: enable it everywhere (non-negotiable for compliance), set intervals by tier (60 seconds for dev/test, 15 seconds for production as the steady-state default), and put an alerting rule or budget line on CloudWatch Logs so that any spike from short-interval troubleshooting is visible and time-bounded.

What finance should actually govern on RDS.6

Finance doesn't run the CLI commands, but it owns the interval policy and the cost guardrails that prevent Enhanced Monitoring from becoming a runaway CloudWatch Logs line. Four levers, used at the regular review cadence.

1. Lock in a steady-state interval tier by environment

Agree with engineering on a standing interval policy before remediation runs: 60 seconds for dev/test environments (satisfies RDS.6, near-zero cost), 15 seconds for steady-state production (the diagnostic sweet spot). That policy should be codified in Terraform or CloudFormation module defaults so new databases inherit it, not negotiated instance-by-instance.

2. Budget the incremental CloudWatch Logs cost explicitly

Model the steady-state CloudWatch Logs increase before remediation: for each production database at 15-second intervals, estimate the daily ingest volume from the instance size and typical throughput. The cost is predictable — model it upfront, add it to the cloud cost forecast, and then it becomes a managed line rather than a bill surprise.

3. Put a cost alert on CloudWatch Logs for anomalous spikes

Short-interval troubleshooting (1-5 seconds) is the only scenario where Enhanced Monitoring costs real money at scale. Set a CloudWatch Logs cost alarm at a threshold above the steady-state baseline — any spike above it triggers a review to confirm the interval has been reverted once the incident is closed. This single guardrail prevents most budget surprises from this control.

4. Track RDS.6 compliance per environment in the audit pack

At the monthly cloud governance review, include the count of RDS instances with MonitoringInterval=0 by environment. Any production database with MonitoringInterval=0 is both a compliance finding and an uninsured diagnostic gap; it should carry an owner and a remediation date. Dev/test instances can sit at 60 seconds — ensure they're recorded there by design, not by accident.

Quick quiz

Question 1 of 5

Engineering proposes enabling Enhanced Monitoring at 1-second intervals on all twenty production databases to maximise diagnostic value before approving the fleet-wide RDS.6 remediation. What is the right finance response?

Keep learning

Dig deeper into RDS observability and the controls around it.

You've finished the finance view of RDS.6. The key model is simple: one variable (the interval) drives nearly all the cost variation; steady-state production at 15 seconds is the right default; troubleshooting intervals need a revert policy or they accumulate silently. You now have the cost framework — tier by environment, model before approving, alert on spikes — to govern Enhanced Monitoring as a planned line rather than a bill surprise.

Back to the library

RDS.6 Enhanced Monitoring: the headline

Whether the team can actually diagnose a database incident — or just confirm one is happening

Default cloud monitoring tells you a database is under stress. It doesn't tell you why. Enhanced Monitoring puts an agent inside each database host so the team can see what is actually consuming resources — and resolve incidents in minutes rather than hours. Security Hub flags databases that lack this as a failing compliance control.

This is a low-cost, high-value operational hygiene item. The charge is usage-based and scales with a single dial: how frequently the agent samples. Leaving it off entirely means the team is flying blind during incidents; setting it carelessly at maximum frequency on a large fleet is where unnecessary spend accumulates. The leadership expectation is simple: every production database has Enhanced Monitoring on at a sensible interval, by policy, so incident response never depends on whether someone remembered to enable it.

A short read for the leader who wants to know what RDS.6 protects, why it's worth the modest operational overhead, and what the right accountability signal looks like. You'll get the plain-English version of what Enhanced Monitoring does and doesn't do, why the cost risk is in the interval dial rather than the feature itself, and what a healthy posture looks like: every production database covered by policy, with interval choices that are deliberate rather than accidental.

Fun fact

The mystery 4am CPU spike

What a well-governed RDS.6 remediation looks like

At one company, every database incident started the same way: an alert that CPU was high, followed by an hour of guessing. The team had no OS-level visibility — just the hypervisor metrics that confirmed something was wrong without saying what. Enabling Enhanced Monitoring across the production fleet, with a policy-driven interval by database tier, changed that. The first incident after the rollout was diagnosed from the OS metrics in under ten minutes.

The leadership signal that mattered wasn't the speed of the fix. It was that Enhanced Monitoring was now on by default for all production databases, with a one-page interval policy that the finance partner had signed off on. Compliance passed, the CloudWatch Logs cost was a predictable line on the bill, and no one had to remember to enable it before an incident.

Why RDS.6 is an operational risk signal, not just a compliance box

Running production databases without Enhanced Monitoring means that when something goes wrong — a slow query, a memory spike, a 3am page — the team's first tool is educated guessing. The hypervisor metrics confirm the problem exists; they don't explain it. That gap directly extends incident duration, and in a customer-facing service, every additional minute of investigation is additional customer impact.

The compliance dimension is direct: RDS.6 is a required passing control for SOC 2 and HIPAA-aligned audits. A finding here doesn't fail an audit on its own, but it generates a written remediation commitment with a deadline, which diverts engineering time and can create scrutiny around broader operational maturity. It's a signal that gets noticed.

The right question for leadership isn't "is it enabled?" — it's "is it governed?" Enabling the feature is the easy part. The management signal is whether the org has an interval policy that distinguishes steady-state from troubleshooting mode, and whether there's a control in place to catch incidents where someone drops to 1-second sampling and never turns it back up. That's what separates a compliance check from an actual capability.

The governance posture on RDS.6

The leadership handle isn't the interval numbers — it's that every production database has Enhanced Monitoring on by policy, with the interval dial governed so that cost doesn't drift when the team runs an incident.

1. Set the default: production databases have Enhanced Monitoring on

Make it policy that any production database launches with Enhanced Monitoring enabled, at a standard interval, without requiring a manual opt-in. A default that engineers have to override is a default that holds; a default that requires opt-in is a default that gets skipped.

2. Treat short intervals as a time-bounded incident tool

High-frequency sampling (1-5 seconds) is for active troubleshooting, not steady state. Policy should require that intervals be reverted to the standard tier within a short window after an incident closes. That's a process control, not a technical one — but it's the only thing that keeps the CloudWatch Logs bill stable across a large fleet.

3. Ask for the compliance trend, not the setting list

The one leadership question for this control is: are all production databases passing RDS.6, and is our CloudWatch Logs spend tracking to forecast? A consistent yes on both is evidence that the control is governed by policy, not patched on demand. That's the signal worth tracking at the executive level.

Quick quiz

Question 1 of 5

At the quarterly review you're told all RDS.6 findings are cleared, every production database has Enhanced Monitoring enabled, and the CloudWatch Logs cost is tracking within forecast. What is the right read?

Keep learning

Dig deeper into RDS observability and the controls around it.

That's the lesson. Enhanced Monitoring turns a compliance checkbox into a genuine incident-response capability — but only if it's governed. The leadership signal to ask for is whether every production database is on by policy at a standard interval, with a process to revert after troubleshooting. That one-line posture is what separates a managed control from one that passes audits and then generates cost surprises.

Back to the library

Part of the learning path Tighten your databases

Enable RDS Enhanced Monitoring

Enhanced Monitoring: the basics

The mystery 4am CPU spike

Enabling Enhanced Monitoring in action

Enhanced Monitoring under the hooddeep dive

What is the impact of running RDS without Enhanced Monitoring?

How do you enable Enhanced Monitoring without blowing up the bill?

1. Inventory which instances are non-compliant

2. Create the monitoring role once, reuse everywhere

3. Pick the interval based on workload, not the cheapest default

4. Pair it with Performance Insights and alarms

Quick quiz

Keep learning

RDS.6 Enhanced Monitoring: what it means for cost and operational visibility

The mystery 4am CPU spike

How a finance partner approaches the RDS.6 remediation conversation

The cost of not having Enhanced Monitoring — and the cost risk of enabling it carelessly

What finance should actually govern on RDS.6

1. Lock in a steady-state interval tier by environment

2. Budget the incremental CloudWatch Logs cost explicitly

3. Put a cost alert on CloudWatch Logs for anomalous spikes

4. Track RDS.6 compliance per environment in the audit pack

Quick quiz

Keep learning

RDS.6 Enhanced Monitoring: the headline

The mystery 4am CPU spike

What a well-governed RDS.6 remediation looks like

Why RDS.6 is an operational risk signal, not just a compliance box

The governance posture on RDS.6

1. Set the default: production databases have Enhanced Monitoring on

2. Treat short intervals as a time-bounded incident tool

3. Ask for the compliance trend, not the setting list

Quick quiz

Keep learning

Related compliance lessons