ASSOCIATED DRATA CONTROL
This test is part of the Databases Monitored and Alarmed control that ensures your company has implemented tools to monitor databases and notify appropriate personnel of any events or incidents, based on predetermined criteria.
WHAT TO DO IF A TEST FAILS
If Drata detects that database I/O utilization monitoring is not enabled or that alerts have not been properly set up the test will fail. With a failed test you will receive a list of databases that lack I/O monitoring or administrative alerts.
To remediate a failed test, you will need to set up and configure monitoring for database I/O utilization to ensure they are monitored with alerts being sent to DB admins in an event or incident.
STEPS FOR PASSING
To ensure a validated state when testing for monitoring of the database read I/O, please follow the steps listed in the table below. Once the provider steps have been completed, navigate back to Drata and execute the test.
NOTE: If you are using the Datadog integration for this test, please see this help article for the metrics to be used.
AWS - DocDB
Database Creation
Within AWS, go to the DocDB service.
Create a DocDB cluster.
Alarm Creation
Go to CloudWatch service.
Click on Create CloudWatch.
Click on Select Metric.
Click on DocDB.
Click on Instance Metrics.
Search for "ReadIOPS".
Click on the checkbox for DB.
Conditions - Static -> Greater -> than 10000. (10000 is an illustrative example; choose a value that makes sense for your setup.)
Click on the Next button.
Select an SNS topic.
Click on the Next button.
Enter a name.
Click on the Next button.
Click on the Create alarm button.
Subscription Confirmation
The subscription to the SNS topic used (or newly created) above must be confirmed for the test to pass.
Go to SNS and select Subscriptions.
Click "Create subscription" and reference the newly created topic for the Topic ARN.
For Protocol select Email.
For Endpoint enter an email address, generally a monitored team inbox.
Click "Create subscription" and verify the email that was sent to your provided inbox.
Alternatively:
Go to SNS and select Topics.
Click the topic name created with the alarm.
Under the Subscriptions banner, click the radio button for the topic's subscription.
Click "Confirm subscription" and verify the email that was sent to your provided inbox.
Note: You may also need to perform this check within Cluster Metrics on DocDB. Ensure that the conditions for DocDB cluster are Static -> Greater -> than 10000 (as an example).
AWS - RDS
For RDS Aurora MySQL (including Serverless v1 and v2), use SelectThroughput. For RDS Aurora PostgreSQL, and for RDS MySQL, use ReadIOPS.
Database Creation
Within AWS, go to the RDS service.
Click on Create database button.
Click on Standard create.
Engine options - any
Set a templates
Set a DB instance identifier
Credentials Settings - click on "Auto generate a password"
Set a DB instance size
Availability & durability - Multi-AZ deployment - Do not create a standby instance
Click on Create database button.
Alarm Creation - Database Instance
Go to CloudWatch service.
Click on Create CloudWatch Alarm.
Click on Select Metric.
Click on RDS.
Click on Per-Database Metrics.
Search for "ReadIOPS" on Aurora PostgreSQL, or "SelectThroughput" on Aurora MySQL.
Click on the checkbox for DB.
Conditions - Static -> Greater -> than 10000. (10000 is an illustrative example; choose a value that makes sense for your setup.)
Click on the Next button.
Select an SNS topic.
Click on the Next button. Enter a name.
Click on the Next button.
Click on the Create alarm button.
Alarm Creation - Database Cluster
Go to CloudWatch service.
Click on Create CloudWatch Alarm.
Click on Select Metric.
Click on RDS.
Click on DBClusterIdentifier Metrics.
Search for "ReadIOPS" on Aurora PostgreSQL, or "SelectThroughput" on Aurora MySQL.
Click on the checkbox for DB cluster name.
Conditions - Static -> Greater -> than 10 (units are in percentages). (10 is an illustrative example; choose a value that makes sense for your setup.)
Click on the Next button.
Select an SNS topic.
Click on the Next button. Enter a name.
Click on the Next button.
Click on the Create alarm button.
Subscription Confirmation
The subscription to the SNS topic used (or newly created) above must be confirmed for the test to pass.
Go to SNS and select Subscriptions.
Click "Create subscription" and reference the newly created topic for the Topic ARN.
For Protocol select Email.
For Endpoint enter an email address, generally a monitored team inbox.
Click "Create subscription" and verify the email that was sent to your provided inbox.
Alternatively:
Go to SNS and select Topics.
Click the topic name created with the alarm.
Under the Subscriptions banner, click the radio button for the topic's subscription.
Click "Confirm subscription" and verify the email that was sent to your provided inbox.
Azure - MariaDB and MySQL
When creating your alert rule, use whichever metric your environment exposes:
io_consumption_percentphysical_data_read_percentiopsread_iopsio_bytes_read
Create a MariaDB or MySQL server.
Create an alert rule for "IO Percent".
Add an action to the alert rule.
Ensure target resource type is set.
Ensure target resource region is set.
Save changes.
Azure - PostgreSQL (Single Server and Flexible Server)
Test 114 supports both Azure PostgreSQL Single Servers (servers) and Flexible Servers (flexibleServers). The same accepted metric names apply to both resource types.
When creating your alert rule, use whichever metric your environment exposes:
io_consumption_percentphysical_data_read_percentiopsread_iopsio_bytes_read
Create an Azure Database for PostgreSQL server (Single Server or Flexible Server).
Create an alert rule using any of the accepted metric names listed above.
Add an action to the alert rule.
Set the target resource type if applicable.
Set the target resource region if applicable.
Save changes.
Azure - SQL
Create an Azure SQL Server.
Create an SQL Database on that server.
Create an alert rule on that database for "Data IO Percentage".
Add an action to the alert rule.
Ensure target resource type is set.
Ensure target resource region is set.
Save changes.
Azure - SQL Managed Instance
Create a SQL Managed Instance.
Create at least one managed DB under it.
Create an alert rule on the SQL Managed Instance (not the lower level DB) for "IO bytes read".
Add an action to the alert rule.
Ensure target resource type is set.
Ensure target resource region is set.
Save changes.
Azure MySQL Flexible Servers
Create a flexible server.
Create an alert rule for either "IOPS" or "Read IOPS".
Add an action to the alert rule.
Ensure target resource type is set.
Ensure target resource region is set.
Save changes.
GCP - SQL
Database Creation
Within GCP, go to the SQL service.
Create an instance.
Click on a database engine.
Enter an Instance ID.
Set a password for the root user.
Select a Region.
Select any Zone.
Database version.
Click on Show configuration options.
Open the "Backups, recovery, and high availability". Make sure to click on Automate backups.
Open the "Machine type and storage". Select a machine size.
Disable the "Enable automatic storage increases".
Click on Create button.
Alert Creation
Navigate to the GCP Monitoring service.
On the left menu click on "Alerting".
Click on "Create policy" button.
On the "Create alerting policy" form click on Add Condition.
In the "Find resource type and metric", search for SQL.
Click on Disk read IO.
Set a resource type: Cloud SQL Database.
Metric: Disk read IO. (For steps 5-8, by default the GCP Alert UI may only show "Active" metrics, and you may need to turn that toggle off to see the required option.)
In the configuration add a value for Threshold: 10000. (10000 is an illustrative example; choose a value that makes sense for your setup.)
Click the ADD button.
Under Alert Details, assign an active Notification Channel (any except mobile cloud console will work).
Click on Next button.
Enter an Alert name.
Click on Save button.