Compliance

Configure event notifications and subscriptions

One capability across RDS clusters, instances, parameter groups, security groups and S3 buckets: wire the events that signal trouble into a destination something is actually listening to, so nobody finds out about a problem from a customer first.

13 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: RDS.19 RDS.20 RDS.21 RDS.22 RDS.27 S3.11

Event notifications: the basics

What does it mean for a resource to announce that something happened to it?

AWS resources constantly emit events about what is happening to them. RDS publishes engine-level events (a failover started, storage ran low, a parameter changed, an instance failed, a database was deleted) categorised under tags like availability, failure, maintenance, configuration change, deletion and low storage. S3 buckets emit object-level events when something is created, removed, restored or transitioned. By default these go nowhere useful: the RDS events land in a console event log nobody opens, and the S3 events evaporate. An event subscription or notification configuration is what pipes a chosen set of those events into a destination (an SNS topic, an SQS queue, a Lambda function, or EventBridge) where they can page on-call, post to Slack, or trigger automation.

AWS Security Hub turns this into several controls, which is why a single estate can fail multiple notification checks at once. RDS.27 checks whether the account has any RDS event subscription at all for critical instance events. RDS.19, RDS.20, RDS.21 and RDS.22 are the targeted versions: they evaluate existing subscriptions per source type and fail if the subscription omits the categories that matter for that type (clusters need maintenance and failure; instances need maintenance, configuration change and failure; parameter groups need configuration change; security groups need configuration change and failure). S3.11 checks whether a general-purpose bucket has any event notification configuration at all. They look like separate findings, but they are one capability: make sure the events that signal trouble are wired to something that is listening.

They are flagged because a silent resource is a detection blind spot. The whole point of the logging-and-monitoring category is that you cannot respond to what you cannot see. Most RDS incidents are visible to AWS minutes before they become customer-visible (the low storage warning fires hours before the disk fills), and an S3 bucket that cannot tell you when objects change cannot trigger a quarantine workflow or feed an audit trail. The dangerous state is sometimes not "no subscription" but "a subscription that looks complete but quietly omits the failure events."

In this lesson you will learn how AWS expresses events across RDS source types and S3 buckets, which categories actually matter on-call, and how to wire the right events to a destination something is listening to without breaking anything. You will see why RDS.27 (any subscription exists) differs from the targeted RDS.19 through RDS.22 controls, why the dangerous state is sometimes a subscription that exists but omits the failure events, and how EventBridge is the lowest-friction destination for S3. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The subscription that listened for everything except failures

RDS event categories are oddly granular: there are over a dozen for instances alone, including availability, backup, deletion, low storage, read replica and recovery. A team can build a perfectly real subscription that fires on backup and notification events and feel thoroughly monitored, while the failure category, the one that fires when an instance cannot recover, sits unchecked. AWS observed this pattern often enough to write a control for it: the dangerous state is not "no subscription", it is "a subscription that looks complete but quietly omits the events that signal a real incident." Separately, S3 event delivery has always been at-least-once with no hard latency guarantee, so the teams that get burned are the ones who watched a notification work once in a demo and assumed exactly-once, in-order delivery they were never promised.

Finding notification gaps across an estate

Marco is the database lead at a fintech. Security Hub fires notification findings across the estate: several production accounts have no RDS event subscription at all (RDS.27), one account has a subscription scoped to instances but missing the failure categories (RDS.20), and a customer-uploads bucket has no S3 event notifications (S3.11). The on-call team has been finding out about failovers from support tickets for months.

Before creating anything he reads what is already there, because the most common trap is a subscription that exists and looks like coverage but quietly omits the events that signal an incident.

Inspect every RDS event subscription and read the source type and the categories actually configured on each.

$ aws rds describe-event-subscriptions --query 'EventSubscriptionsList[].{Name:CustSubscriptionId,Source:SourceType,Enabled:Enabled,Categories:EventCategoriesList}' --output json

"Name": "rds-prod-alerts",

"Source": "db-instance",

"Enabled": true,

"Categories": [ "availability", "notification" ]

# Source is db-instance (correct), but maintenance, configuration change

# and failure are all missing, so RDS.20 fails on this subscription.

The subscription exists and is enabled, but its category list omits every category RDS.20 requires. A subscription existing is not the same as a subscription being useful.

How AWS evaluates event notificationsdeep dive

RDS publishes events from the control plane, the same stream that powers the console event log. A subscription is a server-side filter: pick a SourceType (db-instance, db-cluster, db-parameter-group, db-security-group), optionally pin to specific source IDs, and pick from a fixed list of event categories; matching events publish to your SNS topic. The controls evaluate the AWS::RDS::EventSubscription resource. RDS.27 is the broad check: it fails an account that has no critical-event subscription at all. RDS.19 through RDS.22 are targeted set-membership tests per source type: clusters must carry maintenance and failure, instances maintenance, configuration change and failure, parameter groups configuration change, security groups configuration change and failure. The exact category strings matter (RDS expects the space in configuration change), and satisfying all four targeted controls typically means four separate subscriptions, one per source type.

Two behaviours catch teams on the RDS side. First, the targeted controls pass vacuously when no subscription of that source type exists, so a brand-new account can look compliant with zero monitoring; the first subscription you create must carry the required categories or the finding fires immediately. Second, omitting --source-ids makes the subscription cover every current and future resource of that source type in the account, which is what makes these cheap to satisfy in perpetuity: one subscription per source type, never touched again.

S3.11 is a different shape: it evaluates a bucket's single notification configuration resource and fails when it is empty. Any one valid destination satisfies the base control. The permissions model is where first attempts fail: for SNS and SQS you must grant s3.amazonaws.com permission on the destination's own resource policy (scoped with aws:SourceArn to the bucket) before the put call will validate; for Lambda you add a resource-based permission. EventBridge is the exception and the lowest-friction destination, because enabling it (an empty configuration block) needs no destination policy at all. One optional parameter is worth knowing: an administrator can set a custom eventTypes list on S3.11, in which case a bucket that notifies but does not cover those exact event types still fails.

What is the impact of running without event notifications?

The first impact is mean-time-to-recovery. A Multi-AZ failover takes seconds to a couple of minutes, during which writes fail; AWS publishes the failover event the moment it begins. With a subscription the on-call is paged before customer reports arrive; without one, the first signal is usually an application error-rate alert minutes later, with no context about why. A low storage event fires hours before the disk fills and writes freeze; missed, it becomes an outage instead of a planned storage bump.

The second impact is silent risk. RDS deletion events fire when somebody runs a delete against production; an S3 bucket with no notifications cannot tell anyone when a sensitive object is overwritten or lands where it should not. Caught in seconds, a deleted database can be restored from the final snapshot and a suspicious upload quarantined; discovered later, the recovery window may already be narrowing or the modification already exploited. These notifications are also the unlock for whole classes of automation (virus-scanning uploads, triggering pipelines, replicating or indexing objects), so a silent resource is a capability gap as well as a detection gap.

On the compliance side, these controls map to continuous-monitoring requirements: SOC 2 CC7.2, ISO 27001 A.12.4, PCI DSS, and the NIST 800-53 CA-7 and SI-4 families. Auditors increasingly ask specifically about RDS event subscriptions and S3 event notifications as evidence, and "we check the console" is no longer a passing answer. There is no AWS bill impact, because the notifications are free; the cost is entirely operational and reputational, the cost of finding out about your own problems from your customers.

How do you wire up event notifications safely?

Work the capability as one loop. The order matters: see what exists, make sure the destination is real and confirmed, wire the events that matter, test the route end-to-end, and bake it into provisioning so the gap does not return.

1. Inventory existing subscriptions, notifications and destinations

Run describe-event-subscriptions across every region you run RDS in (subscriptions are regional) and read each one's source type and category list, not just whether it exists. Check each general-purpose bucket's notification configuration for the empty state that fails S3.11. While you are there, identify which SNS topic ops already uses for paging so you do not create a duplicate, and remember that a clean account with zero subscriptions passes the targeted RDS controls vacuously, which is compliant but not safe.

2. Wire the events that actually matter, account-wide

For RDS, create one subscription per source type (omitting --source-ids so it auto-covers current and future resources) carrying the required categories: instances need maintenance, configuration change and failure (RDS.20); clusters maintenance and failure (RDS.19); parameter groups configuration change (RDS.21); security groups configuration change and failure (RDS.22). For S3, route the bucket to EventBridge (an empty configuration block) where you want the lowest-friction fix and a central detection bus, or to SQS / Lambda / SNS for direct processing, granting the destination permission to S3 first.

3. Test the route end-to-end before you trust it

Do not trust a green API response. Trigger a harmless event and confirm the page or message actually arrives: reboot a non-production database to emit an availability event, or upload a test object to the bucket and watch the destination receive it. If nothing arrives, the gap is downstream (an SNS topic policy, an unconfirmed subscription, a broken PagerDuty integration), and you want to find it now rather than during a real incident. A configured-but-untested subscription is a false assurance.

4. Bake it into provisioning so the gap cannot return

Fix the source, not just the resources. Add the RDS event subscriptions to your account landing-zone template so new accounts have them from day one, and bake notification configuration into the bucket module so new buckets get at least EventBridge by default. Keep the matching AWS Config rules enabled so any drift (a deleted subscription, a new region without one, a new bucket with an empty configuration) generates a finding within minutes. Provisioning the monitoring before the resource is what stops these findings reappearing.

# One SNS topic, then one RDS subscription per source type with the required categories.
TOPIC=$(aws sns create-topic --name ops-pager --query TopicArn --output text)

aws rds create-event-subscription --subscription-name rds-instance-critical \
  --sns-topic-arn "$TOPIC" --source-type db-instance \
  --event-categories "maintenance" "configuration change" "failure" --enabled   # RDS.20

aws rds create-event-subscription --subscription-name rds-cluster-critical \
  --sns-topic-arn "$TOPIC" --source-type db-cluster \
  --event-categories "maintenance" "failure" --enabled                           # RDS.19

aws rds create-event-subscription --subscription-name rds-pg-critical \
  --sns-topic-arn "$TOPIC" --source-type db-parameter-group \
  --event-categories "configuration change" --enabled                            # RDS.21

aws rds create-event-subscription --subscription-name rds-sg-critical \
  --sns-topic-arn "$TOPIC" --source-type db-security-group \
  --event-categories "configuration change" "failure" --enabled                  # RDS.22

# S3: EventBridge is the lowest-friction destination, no per-bucket policy needed.
aws s3api put-bucket-notification-configuration --bucket acme-customer-uploads \
  --notification-configuration '{"EventBridgeConfiguration":{}}'                 # S3.11

# Then smoke-test the wire: reboot a non-prod DB and confirm the page lands.
aws rds reboot-db-instance --db-instance-identifier staging-postgres-1

Quick quiz

Question 1 of 5

Security Hub shows notification failures across RDS (RDS.27 and RDS.20) and S3 (S3.11). What is the most efficient way to think about them?

Keep learning

Go deeper on how events, source types and destinations work across the services in this capability.

You can now treat event notifications as one capability rather than a scatter of findings: inventory what exists across RDS source types and S3 buckets, wire the events that signal trouble to a destination something is actually listening to, test the route end-to-end rather than trusting a green API response, and bake the configuration into account and bucket provisioning so the gap cannot return. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Event notifications: the cost and risk view

A near-zero-cost capability that decides whether incidents are self-discovered or customer-reported

Almost every control in this group costs nothing in AWS spend to satisfy. Creating an RDS event subscription or enabling S3 event notifications has no per-resource fee, and the downstream destinations cost a fraction of a cent per thousand messages. The only spend is the one-time engineering time to wire it up. What is not free is the cost of the absence: when a failover, a low-storage event or an unexpected object change goes unseen, the first signal is typically a customer complaint or a full outage, both far more expensive than the notification that would have arrived minutes earlier.

Frame these as audit-readiness and incident-cost items rather than savings items, because there is no meaningful dollar lever to pull. The relevant numbers are the count of accounts and buckets with no notifications, whether that count is trending down, and the history of incidents that were discovered late. Even one database outage this year that was found from a customer ticket usually pays for the entire remediation.

These are mostly Low or Medium severity, which is the right framing for the budget conversation: not an emergency, but cheap insurance against an expensive surprise. The subtle point is that a subscription existing is not the same as a subscription being useful. RDS.19 through RDS.22 exist precisely because teams set one up, check the box, and never confirm it covers the failure events, so the finance question is not "do we have monitoring?" but "is it wired to the right events and has anyone tested that the page actually arrives?"

This lesson is for the finance partner who sees a cluster of notification findings on the security report and wants to know whether they are a fire, a chore or a rounding error. It covers why the fix is near-free, why these belong in the cheap-insurance bucket rather than the cost-optimisation backlog, why a configured-but-untested subscription is a false assurance, and the governance levers (ownership, an audit-anchored deadline, and tracking the per-account trend) that keep the gaps closed.

Fun fact

The subscription that listened for everything except failures

How a finance partner frames the notification gaps

Priya is the finance partner reviewing the security pack at the same fintech. Security Hub shows a cluster of notification findings: several production accounts with no RDS event subscription at all (RDS.27), one account with an instance subscription missing the failure categories (RDS.20), and a customer-uploads bucket with no S3 notifications (S3.11). She knows the dollar lever here is near zero, because creating a subscription is free and the downstream messages cost a fraction of a cent per thousand, so she does not treat this as a savings line.

Instead she sizes it as cheap insurance against an expensive surprise. She asks the team for one number: how many incidents this year were first discovered from a customer ticket rather than from the systems themselves. The on-call lead admits they have been learning about failovers from support tickets for months. That single fact reframes the conversation: even one database outage found late, with its on-call hours, SLA credits and post-mortem, dwarfs the near-zero cost of wiring the events. Her output for the pack is two lines: the count of accounts and buckets with no notifications, and a note that a configured subscription is not the same as a tested one, so she will ask whether anyone has confirmed the page actually arrives.

Why this matters to risk and readiness, not the bill

The financial impact of running without notifications accumulates through incidents, not through AWS charges. The notifications themselves cost essentially nothing. What missing them costs is measurable: each problem that would have been caught early instead becomes a customer-visible outage with the full incident-cost stack of on-call hours, SLA credits, post-mortems and potential churn.

The way to size it is a simple expected-value sketch: estimate the cost of an outage that runs an hour or two longer because nobody was alerted, and multiply by how often that is plausible over a year. Even a low probability against a high-cost outcome dwarfs the near-zero cost of the fix. This is the textbook profile of cheap insurance, and the right finance move is to make sure these Low-and-Medium-severity but high-leverage controls do not get starved when triage runs purely on the severity label.

There is also an audit-and-deal dimension. Open monitoring findings feed the compliance score that surfaces in security questionnaires, vendor risk assessments and SOC 2 / ISO audits. "Can you detect when a database fails or when data in your storage changes?" is a question that gets asked, and an open finding is an awkward answer that can delay a deal or a renewal. Track these as audit-readiness lines with an owner and an audit-anchored deadline, not as savings items, and require that a subscription be tested end-to-end rather than just configured, because a subscription that SNS silently drops is no better than none.

What finance can actually do about event notifications

1. Inventory existing subscriptions, notifications and destinations

2. Wire the events that actually matter, account-wide

3. Test the route end-to-end before you trust it

4. Bake it into provisioning so the gap cannot return

Quick quiz

Question 1 of 5

Why do these notification controls belong in the cheap-insurance bucket rather than the cost-optimisation backlog?

Keep learning

Go deeper on how events, source types and destinations work across the services in this capability.

You have finished the finance view of event notifications. You know the fix is near-free and belongs in the cheap-insurance bucket rather than the cost-optimisation backlog, that a configured subscription is not the same as a tested one (RDS.19 to RDS.22 exist precisely because teams check the box and never confirm the failure categories), and that the metric to watch is the per-account count and its close rate, not a dollar saving that does not exist here. Next time a cluster of notification findings lands, you will ask whether anyone has confirmed the page actually arrives.

Back to the library

Event notifications: the headline

Whether the team finds out about problems from its own systems or from its customers

AWS sends real-time signals when something important happens to a database or a storage bucket: a failover begins, disk space runs low, a production instance is deleted, an object changes. Without an event subscription or notification configuration, those signals go unread until a customer or a broken application surfaces the problem. With one, the right team is paged within seconds.

Security Hub flags the accounts and buckets where this is not configured. The cost to set it up is negligible; the cost of not having it is higher mean-time-to-recovery, more customer-visible incidents, and a weaker compliance posture against the continuous-monitoring controls auditors test. The leadership question is simple: do we find out about our own problems before or after our customers do?

None of this is a cost decision. Wiring events is close to free in AWS terms. It is a governance decision about whether the organisation is the first to know when its critical systems are in trouble, or the last.

A short read for the leader who needs to know what an open notification finding means in plain terms (the organisation is systematically last to know about its own problems), why closing it is a governance decision rather than a budget one, and what a defensible end state looks like: every production account and sensitive bucket subscribed, tested end-to-end, and maintained so the gap cannot quietly return.

Fun fact

The subscription that listened for everything except failures

What it looks like when the team finds out first, by design

After an incident review where a Multi-AZ failover had been surfaced by a customer complaint rather than by the on-call page, the CTO asked the question that frames this whole capability: do we find out about our own problems before or after our customers do? The honest answer was after, because AWS was emitting the signals (failover, low storage, deletion) but nobody had wired them to a destination anyone was listening to.

The leadership response was to set a standard rather than chase findings: every production account and every sensitive bucket has active, tested notifications, baked into the account landing-zone template and the bucket module so new accounts and buckets are covered from day one. Crucially they required the routes to be tested end-to-end, not just configured, because a team had previously set up a subscription, checked the box, and never confirmed it covered the failure categories. Six months on, the answer to the CTO's question had flipped to before, and the four RDS event controls staying green and tested became a standing confidence signal that the team maintains its monitoring rather than setting it and forgetting it.

Why this is on the report at all

Running without these notifications means the organisation is systematically blind to its own problems until they surface externally, via customer complaints, application outages, or a deleted production database nobody noticed. AWS is emitting the signals; the question Security Hub is measuring is whether anyone is listening. The reason a low-dollar finding earns a line on the report is leverage: the fix is among the cheapest available, and the thing it protects against is one of the more expensive incidents a platform team can have.

These findings are also a tell about operating discipline. A failing notification control usually means someone set up monitoring once and never verified it covered the events that matter, the same pattern that hides in bigger, less-visible systems. A team that keeps these green, tested and maintained is a team that maintains its monitoring rather than setting it and forgetting it. The leadership move is to set the standard (every production account and sensitive bucket subscribed, tested end-to-end, and maintained) and bake it into account and bucket provisioning, so the gap is closed at creation rather than discovered during an outage or an audit.

The leadership move on event notifications

1. Inventory existing subscriptions, notifications and destinations

2. Wire the events that actually matter, account-wide

3. Test the route end-to-end before you trust it

4. Bake it into provisioning so the gap cannot return

Quick quiz

Question 1 of 5

What is the single accountability question this capability comes down to for leadership?

Keep learning

Go deeper on how events, source types and destinations work across the services in this capability.

Two takeaways: running without these notifications means the organisation is systematically last to know about its own problems, and because the fix is close to free the open finding is a governance signal rather than a budget one. Set the standard that every production account and sensitive bucket is subscribed and tested end-to-end, bake it into account and bucket provisioning, and the team becomes the first to know when its critical systems are in trouble rather than the last.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

RDS

S3

S3.11 Medium Buckets should have event notifications enabled

Part of the learning path See what's happening

Configure event notifications and subscriptions

Event notifications: the basics

The subscription that listened for everything except failures

Finding notification gaps across an estate

How AWS evaluates event notificationsdeep dive

What is the impact of running without event notifications?

How do you wire up event notifications safely?

1. Inventory existing subscriptions, notifications and destinations

2. Wire the events that actually matter, account-wide

3. Test the route end-to-end before you trust it

4. Bake it into provisioning so the gap cannot return

Quick quiz

Keep learning

Event notifications: the cost and risk view

The subscription that listened for everything except failures

How a finance partner frames the notification gaps

Why this matters to risk and readiness, not the bill

What finance can actually do about event notifications

1. Inventory existing subscriptions, notifications and destinations

2. Wire the events that actually matter, account-wide

3. Test the route end-to-end before you trust it

4. Bake it into provisioning so the gap cannot return

Quick quiz

Keep learning

Event notifications: the headline

The subscription that listened for everything except failures

What it looks like when the team finds out first, by design

Why this is on the report at all

The leadership move on event notifications

1. Inventory existing subscriptions, notifications and destinations

2. Wire the events that actually matter, account-wide

3. Test the route end-to-end before you trust it

4. Bake it into provisioning so the gap cannot return

Quick quiz

Keep learning

Controls this lesson covers

RDS

S3

Related compliance lessons