Skip to content

Ensure RDS log export is enabled with MySql engine

Description

Ensures that audit log export is enabled on an AWS RDS for MySql database instance.

Rationale

Enabling cloudwatch log export for a database is important as it allows for easy analysis.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { isAwsRds } = aws
const { isEmptyArray } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if database instance has MySql audit log export is enabled
 */
function validate(databaseSettings) {
    const success = isAwsRds(databaseSettings) &&
        !isEmptyArray(databaseSettings.awsDatabaseInstance.rdsDatabaseInstance.cloudwatchLogs) &&
        databaseSettings.awsDatabaseInstance.rdsDatabaseInstance.cloudwatchLogs.includes("audit")

    return {
        success,
    }
}

validate(databaseSettings)