Skip to content

Export Audit Logs to CloudWatch

Description

​​In addition to viewing and downloading database logs, you can publish logs to Amazon CloudWatch Logs to allow real-time analysis of logs data and store the data in durable storage. AWS retains log data published to CloudWatch Logs for an indefinite time period unless you specify a retention period.

For extra information about Amazon RDS Aurora logging documentation."

Rationale

You should export your Amazon RDS Aurora MySQL error logs to be able to detect and/or react to any error-related event in your database such as: * Startup and shutdown times * Diagnostic messages (errors, warning, notes) that occur during server startup and shutdown, and while the server is running.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/resource-type cluster
secureclouddb/engine mysql

Default Rule

const { isEmptyArray } = module
const { isAwsRdsCluster } = aws

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if database instance is exporting the error logs to Amazon Cloudwatch
 */
function validate(databaseSettings) {
    const logType = "error"
    const success = isAwsRdsCluster(databaseSettings) &&
                    !isEmptyArray(databaseSettings.awsDatabaseInstance.rdsCluster.enabledCloudwatchLogsExports) &&
                    databaseSettings.awsDatabaseInstance.rdsCluster.enabledCloudwatchLogsExports.includes(logType)

    return {
        success,
    }
}

// invoke
validate(databaseSettings);