Check provider logo

RDS instance has enhanced monitoring enabled

rds_instance_enhanced_monitoring_enabled

Severitylow
Servicerds
by Prowler
logging

RDS DB instances are evaluated for Enhanced Monitoring being enabled, which publishes real-time OS-level metrics (CPU, memory, disk, network) to CloudWatch Logs for each instance.

Risk

Without Enhanced Monitoring, you lack real-time OS telemetry, delaying detection of resource saturation and abnormal activity.

This raises MTTR and risks availability impacts (timeouts, failovers), reduces integrity assurance during incidents, and weakens forensic visibility.

Run this check with Prowler CLI

prowler aws --checks rds_instance_enhanced_monitoring_enabled

Run in Prowler Cloud

Recommendation

Enable Enhanced Monitoring on RDS, using a >0s collection interval aligned to workload and cost. Assign a least-privilege role for log delivery, and apply defense in depth by centralizing logs, setting alerts on key OS metrics, and defining retention to support incident response and trend analysis.

Remediation

CLI

aws rds modify-db-instance --db-instance-identifier <example_resource_id> --monitoring-interval 60 --monitoring-role-arn <monitoring_role_arn>

Native IaC
Terraform
Other
  1. In the AWS Console, go to RDS > Databases and select the DB instance
  2. Click Modify
  3. In Monitoring, check Enable Enhanced Monitoring and set Granularity to any non-zero value (e.g., 60 seconds)
  4. Set Monitoring role to Default (creates rds-monitoring-role) or select an existing role
  5. Click Continue, then Modify DB instance to apply

Source Code

Resource Type

AwsRdsDbInstance

References