Running RDS on AWS and want Zabbix to monitor it? Here’s the full setup — IAM role, cross-account assume, Zabbix config, and validation.
Useful when onboarding a new client or setting up monitoring for your own RDS instances across multiple AWS accounts.
Architecture
What we’re doing:
- Create IAM Policy + Role in target AWS account (where RDS lives)
- Allow Zabbix EC2 instance role to assume that role
- Configure AWS profile on Zabbix server
- Validate metrics via
zabbix_get - Create host in Zabbix with correct macros
1. Create IAM Policy & Role in Target Account
Go to IAM → Policies → Create Policy. Use this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ZabbixRDSMonitoring",
"Effect": "Allow",
"Action": [
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"rds:Describe*"
],
"Resource": "*"
}
]
}Then create a Role with this trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::111111111111:assumed-role/zabbix-monitoring-role/i-xxxxxxxx"
},
"Action": "sts:AssumeRole"
}
]
}Replace 111111111111 with your Zabbix server’s AWS account number, and zabbix-monitoring-role with the IAM role attached to your Zabbix EC2 instance.
Take note of the Role ARN — we need it later.
2. Update Zabbix EC2 Instance Role
Go to the AWS account where your Zabbix server runs. Edit the IAM policy attached to the Zabbix EC2 role — add permission to assume the new client role ARN.
This enables cross-account role assumption.
3. Update AWS Config on Zabbix Server
SSH into Zabbix server. Edit:
/var/lib/zabbix/.aws/configAdd a profile:
[profile client-rds-us-west-1]
role_arn = arn:aws:iam::<target_account_number>:role/zabbix-agent
region = us-west-1
credential_source = Ec2InstanceMetadataExample:
[profile acme-rds-us-west-1]
role_arn = arn:aws:iam::222222222222:role/zabbix-agent
region = us-west-1
credential_source = Ec2InstanceMetadata⚠️ Region must match where the RDS instance is deployed.
Restart agent:
systemctl restart zabbix-agent4. Validate Metrics
Before creating the host, test that metrics are accessible:
docker exec -it zabbix-server zabbix_get -s <agent-ip> -p 10050 \
-k aws.rds.cpuutilization[300,DBInstanceIdentifier,rds-name,profile-name]Expected output:
{
"Datapoints": [
{
"Average": 7.44,
"Unit": "Percent"
}
],
"Label": "CPUUtilization"
}If you get JSON with datapoints — role assumption is working.
If not, check:
- IAM policy permissions
- Trust relationship
- Role ARN in AWS config
- Region mismatch
5. Create Host in Zabbix
Configuration → Hosts → Create Host
- Template: your RDS monitoring template (e.g. “Template AWS RDS”)
- Add Agent Interface
- Assign correct host group
Required Macros
| Macro | Description |
|---|---|
| {$AWS.RDS.BURST.CREDIT.BALANCE.MIN.WARN} | Burst credit warning threshold |
| {$AWS.RDS.CPU.UTIL.WARN.MAX} | CPU utilization warning threshold |
| {$IDENTIFIER} | DBInstanceIdentifier |
| {$PERIOD} | 300 (5 minutes) |
| {$PROFILE} | AWS profile name from config |
| {$RDSNAME} | RDS DB name |
Common Mistakes
- Region mismatch — profile region must match RDS region
- Wrong Role ARN — double check target account number
- Trust relationship missing — Zabbix EC2 role must be allowed to assume target role
- Agent not restarted — always restart after updating AWS config