diff --git a/iam.tf b/iam.tf
new file mode 100644
index 0000000..6d3d17d
--- /dev/null
+++ b/iam.tf
@@ -0,0 +1,26 @@
+resource "aws_iam_role" "rds_enhanced_monitoring" {
+  count              = var.enhanced_monitoring ? 1 : 0
+  name               = "${var.identifier}-rds-enhanced-monitoring"
+  assume_role_policy = data.aws_iam_policy_document.rds_enhanced_monitoring.json
+}
+
+resource "aws_iam_role_policy_attachment" "rds_enhanced_monitoring" {
+  count      = var.enhanced_monitoring ? 1 : 0
+  role       = aws_iam_role.rds_enhanced_monitoring[0].name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
+}
+
+data "aws_iam_policy_document" "rds_enhanced_monitoring" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["monitoring.rds.amazonaws.com"]
+    }
+  }
+}
diff --git a/main.tf b/main.tf
index 4206e69..8c4232d 100644
--- a/main.tf
+++ b/main.tf
@@ -41,6 +41,7 @@ resource "aws_db_instance" "default" {
   username                    = var.master_username
   password                    = local.password
   monitoring_interval         = var.enhanced_monitoring ? 60 : 0
+  monitoring_role_arn         = var.enhanced_monitoring ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
   maintenance_window          = "mon:02:00-mon:03:30"
   backup_window               = "03:30-05:00"
   backup_retention_period     = 14