🛡️ AWS RDS Cluster database logging is not enabled🟢

• Contextual name: 🛡️ Cluster database logging is not enabled🟢
• ID: /ce/ca/aws/rds/cluster-cloudwatch-logs-export
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS RDS Cluster
  • 🔌 AWS RDS Cluster - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs
• AWS Security Hub: [RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs
• AWS Security Hub: [DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
• AWS Security Hub: [Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs

Description

Open File

Description

This policy identifies AWS RDS Clusters that are not configured to export database logs to Amazon CloudWatch Logs. Enabling log exports ensures that database activity and operational events are captured and centrally stored for ongoing monitoring, analysis, and audit purposes.

Rationale

Exporting database logs to Amazon CloudWatch Logs is critical for maintaining operational visibility and meeting security and compliance requirements. Logs stored locally on an RDS cluster are transient and may be lost during maintenance operations, cluster restarts, or unexpected failures. By contrast, CloudWatch Logs provides durable, centralized storage that preserves historical log data for auditing and forensic analysis.

Once logs are available in CloudWatch Logs, organizations can create metric filters and alarms to detect significant events, such as repeated connection failures, unauthorized access attempts, or performance issues including slow-running queries. CloudWatch Logs Insights further enhances visibility by enabling efficient querying and analysis of log data across multiple RDS clusters, improving troubleshooting and incident response capabilities.

... see more

Remediation

Open File

Remediation

Enable CloudWatch Log Exports

To ensure database logs are retained and available for centralized monitoring, troubleshooting, and auditing, configure AWS RDS clusters to export supported database log types to Amazon CloudWatch Logs. Exported logs provide durable storage and enable security monitoring, operational analysis, and compliance reporting.

CloudWatch log exports are enabled at the cluster level by updating the DB cluster configuration with the --cloudwatch-logs-export-configuration parameter. The specific log types that can be exported depend on the database engine and engine version.

From Command Line

Aurora MySQL

Enable export of error, general, slow query, audit, and instance logs:

aws rds modify-db-cluster \
    --db-cluster-identifier mydbcluster \
    --cloudwatch-logs-export-configuration '{"EnableLogTypes":["error","general","slowquery","audit","instance"]}'

---

Aurora PostgreSQL

Enable export of PostgreSQL engine and instance logs:

aws rds modify-db-cluster \

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs			1		no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			75		no data
💼 FedRAMP High Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			21		no data
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		7	31		no data
💼 FedRAMP High Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			26		no data
💼 FedRAMP High Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		37		no data
💼 FedRAMP High Security Controls → 💼 AU-6(1) Automated Process Integration (M)(H)			4		no data
💼 FedRAMP High Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			16		no data
💼 FedRAMP High Security Controls → 💼 AU-6(4) Central Review and Analysis (H)			16		no data
💼 FedRAMP High Security Controls → 💼 AU-6(5) Integrated Analysis of Audit Records (H)			3		no data
💼 FedRAMP High Security Controls → 💼 AU-7(1) Automatic Processing (M)(H)			2		no data
💼 FedRAMP High Security Controls → 💼 AU-10 Non-repudiation (H)			15		no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		73		no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		27		no data
💼 FedRAMP High Security Controls → 💼 SI-4(5) System-generated Alerts (M)(H)			3		no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		48	56		no data
💼 FedRAMP Low Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			26		no data
💼 FedRAMP Low Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)			23		no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			73		no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		27		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			21		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			31		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			26		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		37		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6(1) Automated Process Integration (M)(H)			4		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			16		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-7(1) Automatic Processing (M)(H)			2		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			73		no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		27		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-4(5) System-generated Alerts (M)(H)			3		no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			50		no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			65		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			178		no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			27		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			100		no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			50		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			179		no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			45		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			59		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			60		no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			46		no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			49		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(4) Account Management _ Automated Audit Actions		14	21		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		17	24		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-2 Event Logging	4		26		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3 Content of Audit Records	3	13	37		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(1) Audit Record Review, Analysis, and Reporting _ Automated Process Integration		1	4		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories			16		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis			16		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(5) Audit Record Review, Analysis, and Reporting _ Integrated Analysis of Audit Records			3		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-7(1) Audit Record Reduction and Report Generation _ Automatic Processing		1	2		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-9(7) Protection of Audit Information _ Store on Component with Different Operating System			2		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-10 Non-repudiation	5		15		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	47	73		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		27		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			32		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands			12		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(5) System Monitoring _ System-generated Alerts			3		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(20) System Monitoring _ Privileged Users			11		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events			16		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-20 Tainting			3		no data
💼 PCI DSS v3.2.1 → 💼 10.2 Implement automated audit trails for all system components.	7	6	33		no data
💼 PCI DSS v3.2.1 → 💼 10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter.			2		no data
💼 PCI DSS v3.2.1 → 💼 10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.			2		no data
💼 PCI DSS v3.2.1 → 💼 10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment.			9		no data
💼 PCI DSS v4.0.1 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7		32		no data
💼 PCI DSS v4.0.1 → 💼 10.3.3 Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.			2		no data
💼 PCI DSS v4.0.1 → 💼 10.4.2 Logs of all other system components are reviewed periodically.	1		9		no data
💼 PCI DSS v4.0 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7	1	32		no data
💼 PCI DSS v4.0 → 💼 10.3.3 Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.			2		no data
💼 PCI DSS v4.0 → 💼 10.4.2 Logs of all other system components are reviewed periodically.	1		9		no data