Skip to content

Ensure RDS log export is enabled with Postgre engine

Description

Ensures that audit log export is enabled on an AWS RDS for Postgres database instance.

Rationale

Enabling cloudwatch log export for a database is important as it allows for easy analysis.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine postgres

Default Rule

const { isAwsRds } = aws
const { isEmptyArray } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if database instance has postgres log export is enabled
 */
function validate(databaseSettings) {
    const success = isAwsRds(databaseSettings) &&
        !isEmptyArray(databaseSettings.awsDatabaseInstance.rdsDatabaseInstance.cloudwatchLogs) &&
        databaseSettings.awsDatabaseInstance.rdsDatabaseInstance.cloudwatchLogs.includes("postgresql")

    return {
        success,
    }
}

validate(databaseSettings)