Skip to main content

Triage AWS RDS DB Instances should have performance insights enabled PERFORMANCE_INSIGHTS_NOT_ENABLED

  1. Configure AWS RDS DB Instances should have performance insights enabled
  2. Use Case for AWS RDS DB Instances should have performance insights enabled
  3. Triage Guides by Violation Type
    1. Triage AWS RDS DB Instances should have performance insights enabled PERFORMANCE_INSIGHTS_NOT_ENABLED

Why should I care about fixing this issue?

To get started on understanding RDS performance insights, read our use-case page.

What is the data source for this policy?

This policy relies on a call to rds:DescribeDBInstances. If the response of the property PerformanceInsightsEnabled is not true, then a violation is opened by the policy.

Does this policy scan on a schedule? If so, when?

No, it's triggered when changes to matching resources are detected.

How do I enable performance insights using AWS Console?

See the console instructions on Turning Performance Insights on and off.

How do I enable performance insights using CloudFormation?

  1. On the AWS::RDS::DBInstance set EnablePerformanceInsights to true.
  2. On the AWS::RDS::DBInstance set PerformanceInsightsRetentionPeriod to a valid number of days (defaults to 7, valid values are 7, 731, or a multiple of 31).
  3. On the AWS::RDS::DBInstance set PerformanceInsightsKMSKeyId to the key ARN, key ID, alias ARN, or alias name for the KMS key (defaults to your AWS account default KMS key).

Here is a CloudFormation template example:

ExampleDBInstance:
  Type: AWS::RDS::DBInstance
  Properties: 
    # ...
    EnablePerformanceInsights: true
    EnablePerformanceInsights: 7
    PerformanceInsightsKMSKeyId: arn:aws:kms:us-east-1:111111111111:alias/example-key

How do I enable performance insights using Terraform?

  1. On the aws_db_instance set performance_insights_enabled to true.
  2. On the aws_db_instance set performance_insights_retention_period to a valid number of days (defaults to 7, valid values are 7, 731, or a multiple of 31).
  3. On the aws_db_instance set performance_insights_kms_key_id to the key ARN, key ID, alias ARN, or alias name for the KMS key (defaults to your AWS account default KMS key).
resource "aws_db_instance" "example_db_instance" {
  # ...
  performance_insights_enabled = true
  performance_insights_retention_period = 7
  performance_insights_kms_key_id = "arn:aws:kms:us-east-1:111111111111:alias/example-key"
}

How do I enable performance insights using AWS CLI?

See the CLI instructions on Turning Performance Insights on and off.

When is it appropriate to mark this violation as "by design"?

To get started on understanding RDS performance insights, read our use-case page.