Database logging should be enabled
Severity: Medium
Resource Types: AWS::RDS::DBInstance
Description
This control checks whether the following logs of Amazon RDS are enabled and sent to CloudWatch Logs:
- Oracle: (Alert, Audit, Trace, Listener)
- PostgreSQL: (Postgresql, Upgrade)
- MySQL: (Audit, Error, General, SlowQuery)
- MariaDB: (Audit, Error, General, SlowQuery)
- SQL Server: (Error, Agent)
- Aurora: (Audit, Error, General, SlowQuery)
- Aurora-MySQL: (Audit, Error, General, SlowQuery)
- Aurora-PostgreSQL: (Postgresql, Upgrade).
RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues.
Remediation
Logging options are contained in the DB parameter group associated with the RDS DB cluster or instance. To enable logging when the default parameter group for the database engine is used, you must create a new DB parameter group that has the required parameter values. You must then associate the customer DB parameter group with the DB cluster or instance.
To enable and publish MariaDB, MySQL, or PostgreSQL logs to CloudWatch Logs from the AWS Management Console, set the following parameters in a custom DB Parameter Group:
MariaDB
general_log
= 1slow_query_log
= 1log_output
= FILE
MySQL
general_log
= 1slow_query_log
= 1log_output
= FILE
PostgreSQL
log_statement
= alllog_min_duration_statement
= minimum query duration (ms) to log
To create a custom DB parameter group
- Open the Amazon RDS console.
- In the navigation pane, choose
Parameter groups
. - Choose
Create parameter group
. The Create parameter group window appears. - In the Parameter group family list, choose a DB parameter group family.
- In the
Type
list, chooseDB Parameter Group
. - In
Group name
, enter the name of the new DB parameter group. - In
Description
, enter a description for the new DB parameter group. - Choose
Create
.
To create a new option group for MariaDB logging by using the console
- Open the Amazon RDS console.
- In the navigation pane, choose
Option groups
. - Choose
Create group
. - In the
Create option group
window, do the following:- For Name, type a name for the option group that is unique within your AWS account. The name can contain only letters, digits, and hyphens.
- For Description, type a brief description of the option group. The description is used for display purposes.
- For Engine, choose the DB engine that you want.
- For Major engine version, choose the major version of the DB engine that you want.
- To continue, choose
Create
. - Choose the name of the option group you just created.
- Choose
Add option
. - Choose
MARIADB_AUDIT_PLUGIN
from theOption name
list. - Set
SERVER_AUDIT_EVENTS
toCONNECT
,QUERY
,TABLE
,QUERY_DDL
,QUERY_DML
,QUERY_DCL
. - Choose
Add option
.
To publish SQL Server DB, Oracle DB, or PostgreSQL logs to CloudWatch Logs from the AWS Management Console
- Open the Amazon RDS console.
- In the navigation pane, choose
Databases
. - Choose the DB instance that you want to modify.
- Choose
Modify
. - Under
Log exports
, choose all of the log files to start publishing to CloudWatch Logs. Log exports
is available only for database engine versions that support publishing to CloudWatch Logs.- Choose
Continue
. Then on the summary page, chooseModify DB Instance
.
To apply a new DB parameter group or DB options group to an RDS DB instance
- Open the Amazon RDS console.
- In the navigation pane, choose
Databases
. - Choose the DB instance that you want to modify.
- Choose
Modify
. TheModify DB Instanc
e page appears. - Under
Database options
, change the DB parameter group and DB options group as needed. - When you finish you changes, choose
Continue
. Check the summary of modifications. - (Optional) Choose
Apply immediately
to apply the changes immediately. Choosing this option can cause an outage in some cases. For more information, see Using the Apply Immediately setting. - Choose
Modify DB Instance
to save your changes.