Enforce automatic tagging of Amazon RDS databases at launch
Environment: Production | Technologies: Databases; CloudNative; Security, identity, compliance | AWS services: Amazon RDS; Amazon SNS; AWS CloudTrail; Amazon CloudWatch |
Summary
Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the Amazon Web Services (AWS) Cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks.
You can use tagging to categorize your AWS resources in different ways. Relational database tagging is useful when you have many resources in your account and you want to quickly identify a specific resource based on the tags. You can use Amazon RDS tags to add custom metadata to your RDS DB instances. A tag consists of a user-defined key and value. We recommend that you create a consistent set of tags to meet your organization's requirements.
This pattern provides an AWS CloudFormation template to help you monitor and tag RDS DB instances. The template creates an Amazon CloudWatch Events event that watches for the AWS CloudTrail CreateDBInstance event. (CloudTrail captures API calls for Amazon RDS as events.) When it detects this event, it calls an AWS Lambda function that automatically applies tag keys and values that you define. The template also sends out a notification that the instance has been tagged, by using Amazon Simple Notification Service (Amazon SNS).
Prerequisites and limitations
Prerequisites
An active AWS account.
An Amazon Simple Storage Service (Amazon S3) bucket to upload the Lambda code.
An email address where you would like to receive tagging notifications.
Limitations
The solution supports CloudTrail CreateDBInstance events. It does not create notifications for any other events.
Architecture
Workflow architecture
Automation and scale
You can use the AWS CloudFormation template multiple times for different AWS Regions and accounts. You need to run the template only once in each Region or account.
Tools
AWS services
AWS CloudTrail – AWS CloudTrail is an AWS service that helps you with governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.
Amazon CloudWatch Events – Amazon CloudWatch Events delivers a near real-time stream of system events that describe changes in AWS resources. CloudWatch Events becomes aware of operational changes as they occur and takes corrective action as necessary, by sending messages to respond to the environment, activating functions, making changes, and capturing state information.
AWS Lambda – AWS Lambda is a compute service that supports running code without needing to provision or manage servers. Lambda runs your code only when needed and scales automatically, from a few requests per day to thousands per second. You pay only for the compute time that you consume—there is no charge when your code is not running.
Amazon S3 – Amazon Simple Storage Service (Amazon S3) is a highly scalable object storage service that can be used for a wide range of storage solutions, including websites, mobile applications, backups, and data lakes.
Amazon SNS – Amazon Simple Notification Service (Amazon SNS) is a web service that enables applications, end-users, and devices to instantly send and receive notifications from the cloud.
Code
This pattern includes an attachment with two files:
index.zipis a compressed file that includes the Lambda code for this pattern.rds.yamlis a CloudFormation template that deploys the Lambda code.
See the Epics section for information about how to use these files.
Epics
| Task | Description | Skills required |
|---|---|---|
| Upload the code to an S3 bucket. | Create a new S3 bucket or use an existing S3 bucket to upload the attached | Cloud architect |
| Deploy the CloudFormation template. | Open the Cloudformation console in the same AWS Region as the S3 bucket, and deploy the | Cloud architect |
| Task | Description | Skills required |
|---|---|---|
| Provide the S3 bucket name. | Enter the name of the S3 bucket that you created or selected in the first epic. This S3 bucket contains the .zip file for the Lambda code and must be in the same AWS Region as the CloudFormation template and the RDS DB instances that you want to monitor. | Cloud architect |
| Provide the S3 key. | Provide the location of the Lambda code .zip file in your S3 bucket, without leading slashes (for example, | Cloud architect |
| Provide an email address. | Provide an active email address where you want to receive violation notifications. | Cloud architect |
| Specify a logging level. | Specify the logging level and verbosity. | Cloud architect |
| Enter the tag keys and values for your RDS DB instances. | Enter the required tag keys and values that you want to automatically apply to the RDS instance. For more information, see Tagging Amazon RDS resources in the AWS documentation. | Cloud architect |
| Task | Description | Skills required |
|---|---|---|
| Confirm the email subscription. | When the CloudFormation template deploys successfully, it sends a subscription email message to the email address you provided. To receive notifications when your instances are tagged, you must confirm this email subscription. | Cloud architect |
Related resources
Creating a bucket (Amazon S3 documentation)
Tagging Amazon RDS resources (Amazon Aurora documentation)
Uploading objects (Amazon S3 documentation)
Creating a CloudWatch Events rule that triggers on an AWS API call using AWS CloudTrail (Amazon CloudWatch documentation)
Attachments
To access additional content that is associated with this document, unzip the following file: attachment.zip
