Enhanced monitoring role

โ“ What does it do?
๐Ÿ• In general, think of it as a special power. Usually by default AWS provides us some ways to monitor happenings in our RDS cluster. It could be RAM, CPU utilization, storage, etc. And time-period of monitoring these metrics could be of a minimum of 1 min and max up to a Day.

๐Ÿ• Tomorrow my firm gets supper big, it will need more resources to support our clients, more security, faster work and a lot more. Now, something crashes in my RDS cluster and logs or metrics of 1 min isn't sufficient enough for me to debug, and no way I wanna lose clients.

๐Ÿ• So, special power which I was talking about is providing me logs 1 sec to half of a second. Imagine how easier it will be for us to understand the responses and behavior of my application along with the RDS cluster and all request it is processing. It will help me to make a lot of sense out of the scenario. And that's why there is a need for such special power.

๐Ÿ• To conclude, enhanced monitoring can give per second logs with more granularity and much better metrics such as disk performance, requests pending in the network queue, how much time is it taking to process requests, lost time of connectivity, etc.

โ“ The user that enables Enhanced Monitoring needs PassRole...meaning?
๐Ÿ• it simply translates to if I am enabling enhanced monitoring, I should have those permissions.

โ“ Howโ€™s rds-monitoring-role different from service-linked-role for RDS? Whatโ€™re they doing?
๐Ÿ• rds-monitoring-role is an IAM role only for enhanced monitoring metrics. It means CPU % every 5 seconds, i/o reads every 5 seconds, etc. To have logs in a more granular way as much as possible in terms of seconds.
This role can be used by other services as well.

๐Ÿ• service-linked-role is a special role that can be used only by RDS service and canโ€™t be used by any other service. This role puts Logs to cloudwatch. And service linked role cant be created or can be added for RDS it always takes the default one.

โ“ ** Do multiple RDS clusters use the same IAM role? If yes do they mix up cloudwatch logs?**
๐Ÿ• Yes, same default rds-monitoring-role is used. I can use the same IAM role for multiple RDS clusters because policy remains the same or I can choose to duplicate them but I think it is unnecessarily redundant.

Nope, it doesn't mix up logs because each rds cluster has a different database_identifier which are UNIQUE to us as well as behind the scenes of RDS cluster too. Using this, role creates log groups in cloudwatch ex: /aws/rds/instance/database_identifier/slow_query_log

โ“ Created RDS cluster with custom RDS-monitoring role and then modified it with new role does it affect in any way? Because it shows me the following warning

rds-role-change

๐Ÿ• It means:
If you want to apply this change immediately, itโ€™ll be added to the queue of my todo list. Iโ€™ll do it without telling you when, but Iโ€™ll do it whenever Iโ€™ve got time. Also, if youโ€™ve other things in the todo list, Iโ€™ll finish them first and then come do this IAM role. So, if any of the things in todo requires downtime, Iโ€™ll end up causing downtime.
Youโ€™re good if you know thereโ€™s nothing in the queue.
You need to be careful if thereโ€™s something in the queue..
If thereโ€™s something that needs me to reboot, youโ€™re screwed up..haha..prepare for downtime.
๐Ÿ• Thus, if there are lists of changes to be modified in RDS....it will do in priority basis...meanwhile, if something is dependent for the role it will effect