# Monitor Amazon Aurora for instances without encryption
<a name="monitor-amazon-aurora-for-instances-without-encryption"></a>

*Mansi Suratwala, Amazon Web Services*

## Summary
<a name="monitor-amazon-aurora-for-instances-without-encryption-summary"></a>

This pattern provides an Amazon Web Services (AWS) CloudFormation template that you can deploy to set up automatic notifications when an Amazon Aurora instance is created without encryption turned on.

Aurora is a fully managed relational database engine that's compatible with MySQL and PostgreSQL. With some workloads, Aurora can deliver up to five times the throughput of MySQL and up to three times the throughput of PostgreSQL without requiring changes to most of your existing applications.

The CloudFormation template creates an Amazon CloudWatch Events event and an AWS Lambda function. The event uses AWS CloudTrail to monitor for any Aurora instance creation or a point in time restoration of an existing instance. The Cloudwatch Events event initiates the Lambda function, which checks whether encryption is enabled. If encryption is not turned on, the Lambda function sends an Amazon Simple Notification Service (Amazon SNS) notification informing you of the violation. 

## Prerequisites and limitations
<a name="monitor-amazon-aurora-for-instances-without-encryption-prereqs"></a>

**Prerequisites**** **
+ An active AWS account

**Limitations **
+ This service control works with Amazon Aurora instances only. It does not support other Amazon Relational Database Service (Amazon RDS) instances.
+ The CloudFormation template must be deployed for `CreateDBInstance`** **and `RestoreDBClusterToPointInTim`**e **only. 

**Product versions**
+ PostgreSQL versions that are supported in Amazon Aurora
+ MySQL versions that are supported in Amazon Aurora

## Architecture
<a name="monitor-amazon-aurora-for-instances-without-encryption-architecture"></a>

**Target technology stack  **
+ Amazon Aurora
+ AWS CloudTrail
+ Amazon CloudWatch
+ AWS Lambda
+ Amazon Simple Storage Service (Amazon S3)
+ Amazon SNS

**Target architecture **

![\[Aurora launch without encryption invoking CloudTrail, CloudWatch Events, Lambda, and an SNS message.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/de1528b8-a5a4-4c66-8ab3-7d9863572cbc/images/7dcab41a-d805-4bb0-99d1-1dcef37c4e55.png)


**Automation and scale**

You can use the CloudFormation template multiple times for different Regions and accounts. You need to run it only once in each Region or account.

## Tools
<a name="monitor-amazon-aurora-for-instances-without-encryption-tools"></a>

**Tools**
+ [Amazon Aurora](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_AuroraOverview.html) – Amazon Aurora is a fully managed relational database engine that's compatible with MySQL and PostgreSQL.
+ [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) – AWS CloudTrail helps you manage governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, a role, or an AWS service are recorded as events in CloudTrail. 
+ [Amazon CloudWatch Events](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html) – Amazon CloudWatch Events delivers a near-real-time stream of system events that describe changes in AWS resources. 
+ [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) – AWS Lambda is a compute service that supports running code without provisioning or managing servers. Lambda runs your code only when needed and scales automatically, from a few requests per day to thousands per second. 
+ [Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/gsg/GetStartedWithS3.html) – Amazon Simple Storage Service (Amazon S3) is a highly scalable object storage service that you can use for a wide range of storage solutions, including websites, mobile applications, backups, and data lakes.
+ [Amazon SNS](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) – Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery using Lambda, HTTP, email, mobile push notifications, and mobile text messages (SMS). 

**Code **

A .zip file of the project is available as an attachment.

## Epics
<a name="monitor-amazon-aurora-for-instances-without-encryption-epics"></a>

### Create the S3 bucket for the Lambda script
<a name="create-the-s3-bucket-for-the-lambda-script"></a>


| Task | Description | Skills required | 
| --- | --- | --- | 
| Define the S3 bucket. | Open the Amazon S3 console, and choose or create an S3 bucket. This S3 bucket will host the Lambda code .zip file. Your S3 bucket needs to be in the same Region as Aurora. The S3 bucket name cannot contain leading slashes. | Cloud architect | 

### Upload the Lambda code to the S3 bucket
<a name="upload-the-lambda-code-to-the-s3-bucket"></a>


| Task | Description | Skills required | 
| --- | --- | --- | 
| Upload the Lambda code. | Upload the Lambda code .zip file provided in the *Attachments* section to the S3 bucket that you defined. | Cloud architect | 

### Deploy the CloudFormation template
<a name="deploy-the-cloudformation-template"></a>


| Task | Description | Skills required | 
| --- | --- | --- | 
| Deploy the CloudFormation template. | On the CloudFormation console, deploy the `RDS_Aurora_Encryption_At_Rest.yml` CloudFormation template that's provided as an attachment to this pattern. In the next epic, provide values for the template parameters. | Cloud architect | 

### Complete the parameters in the CloudFormation template
<a name="complete-the-parameters-in-the-cloudformation-template"></a>


| Task | Description | Skills required | 
| --- | --- | --- | 
| Provide the S3 bucket name. | Enter the name of the S3 bucket that you created or chose in the first epic. | Cloud architect  | 
| Provide the S3 key. | Provide the location of the Lambda code .zip file in your S3 bucket, without leading slashes (for example, `<directory>/<file-name>.zip`). | Cloud architect  | 
| Provide an email address. | Provide an active email address to receive Amazon SNS notifications. | Cloud architect  | 
| Define the logging level. | Define the logging level and frequency for your Lambda function. `Info` designates detailed informational messages on the application’s progress. `Error` designates error events that could still allow the application to continue running. `Warning` designates potentially harmful situations. | Cloud architect | 

### Confirm the subscription
<a name="confirm-the-subscription"></a>


| Task | Description | Skills required | 
| --- | --- | --- | 
| Confirm the subscription. | When the template successfully deploys, it sends a subscription email message to the email address provided. To receive notifications, you must confirm this email subscription.  | Cloud architect | 

## Related resources
<a name="monitor-amazon-aurora-for-instances-without-encryption-resources"></a>
+ [Creating an S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-bucket.html)
+ [Uploading files to an S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/upload-objects.html) 
+ [Creating an Amazon Aurora DB cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.CreateInstance.html)
+ [Creating a CloudWatch Events rule that triggers on an AWS API call using AWS CloudTrail](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-CloudTrail-Rule.html)

## Attachments
<a name="attachments-de1528b8-a5a4-4c66-8ab3-7d9863572cbc"></a>

To access additional content that is associated with this document, unzip the following file: [attachment.zip](samples/p-attach/de1528b8-a5a4-4c66-8ab3-7d9863572cbc/attachments/attachment.zip)