AWS-RDS-RDS-Logging-Enabled

Severity: Medium

Description: This control ensures that at least one Log type under Log Exports is published to the AWS CloudWatch for the RDS DB Instance. Amazon CloudWatch can collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in the AWS resources. These logs can play a vital role in debugging, troubleshooting, detecting malicious activities and security audits. The "Log exports" option for RDS DB Instance publishes the DB logs to CloudWatch for further processing and storage.

Remediation Steps:

Perform following to update logging for RDS :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to RDS console.

3. In the navigation pane, Click on Databases.

4. Click on the Database instance to be modified, click Modify.

5. Under Log exports select all log types.

6. Click on the Continue.

7. Under Scheduling of modifications, select Apply Immediately.

8. Click on Modify DB Instance.

Important:

• Logs from China (Ningxia) region cannot be published to CloudWatch.

• Any modifications to AWS RDS Instance can be either applied immediately or can be scheduled to apply during next maintenance window. The above remediation guides to apply changes immediately.

Reference :

• Publishing Amazon Aurora MySQL logs to Amazon CloudWatch Logs - Amazon Aurora