Skip to content

Export Audit Logs to CloudWatch

Description

​​In addition to viewing and downloading database logs, you can publish logs to Amazon CloudWatch Logs to allow real-time analysis of logs data and store the data in durable storage. AWS retains log data published to CloudWatch Logs for an indefinite time period unless you specify a retention period.

For extra information about Amazon RDS Aurora logging documentation."

Rationale

Export Amazon RDS Aurora MySQL audit logs to have a record of activity events such as successful and failed authentication attempts on your cluster, necessary for audit purposes. If the logs are not exported, an attacker might be able to delete them.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/resource-type cluster
secureclouddb/engine mysql

Default Rule

const { isEmptyArray } = module
const { isAwsRdsCluster } = aws

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if database instance is exporting the audit logs to Amazon Cloudwatch
 */
function validate(databaseSettings) {
    const logType = "audit"
    const success = isAwsRdsCluster(databaseSettings) &&
                    !isEmptyArray(databaseSettings.awsDatabaseInstance.rdsCluster.enabledCloudwatchLogsExports) &&
                    databaseSettings.awsDatabaseInstance.rdsCluster.enabledCloudwatchLogsExports.includes(logType)

    return {
        success,
    }
}

// invoke
validate(databaseSettings);