🛡️ AWS RDS Cluster required log exports to CloudWatch Logs are not enabled🟢

• Contextual name: 🛡️ Cluster required log exports to CloudWatch Logs are not enabled🟢
• ID: /ce/ca/aws/rds/cluster-cloudwatch-logs-export
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS RDS Cluster
  • 🔌 AWS RDS Cluster - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs
• AWS Security Hub: [RDS.45] Aurora MySQL DB clusters should have audit logging enabled
• AWS Security Hub: [RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs
• AWS Security Hub: [DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
• AWS Security Hub: [Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs

Description

Open File

Description

This policy identifies supported AWS RDS clusters that are not configured to export the required engine-specific database logs to Amazon CloudWatch Logs. It applies to Aurora MySQL, Aurora PostgreSQL, Amazon DocumentDB, and Amazon Neptune clusters.

The required log export depends on the database engine:

• Aurora MySQL: audit
• Aurora PostgreSQL: postgresql
• Amazon DocumentDB: audit
• Amazon Neptune: audit

Rationale

Exporting database logs to Amazon CloudWatch Logs is critical for maintaining operational visibility and meeting security and compliance requirements. Logs stored locally on an RDS cluster are transient and may be lost during maintenance operations, cluster restarts, or unexpected failures. By contrast, CloudWatch Logs provides durable, centralized storage that preserves historical log data for auditing and forensic analysis.

Once logs are available in CloudWatch Logs, organizations can create metric filters and alarms to detect significant events, such as repeated connection failures, unauthorized access attempts, or performance issues including slow-running queries. CloudWatch Logs Insights further enhances visibility by enabling efficient querying and analysis of log data across multiple RDS clusters, improving troubleshooting and incident response capabilities.

... see more

Remediation

Open File

Remediation

Enable Required CloudWatch Log Exports

To ensure database logs are retained and available for centralized monitoring, troubleshooting, and auditing, configure supported AWS RDS clusters to export the required database log types to Amazon CloudWatch Logs.

CloudWatch log exports are enabled at the cluster level by updating the DB cluster configuration with the --cloudwatch-logs-export-configuration parameter. The required log type depends on the database engine and engine version.

From Command Line

Aurora MySQL

Enable export of audit logs:

aws rds modify-db-cluster \
    --db-cluster-identifier {{db-cluster-identifier}} \
    --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'

Aurora PostgreSQL

Enable export of PostgreSQL logs:

aws rds modify-db-cluster \
    --db-cluster-identifier {{db-cluster-identifier}} \
    --cloudwatch-logs-export-configuration '{"EnableLogTypes":["postgresql"]}'

Amazon DocumentDB

Enable export of audit logs:

aws docdb modify-db-cluster \

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.45] Aurora MySQL DB clusters should have audit logging enabled			1		no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			78		no data
💼 FedRAMP High Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			23		no data
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		8	32		no data
💼 FedRAMP High Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			27		no data
💼 FedRAMP High Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		39		no data
💼 FedRAMP High Security Controls → 💼 AU-6(1) Automated Process Integration (M)(H)			6		no data
💼 FedRAMP High Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			17		no data
💼 FedRAMP High Security Controls → 💼 AU-6(4) Central Review and Analysis (H)			17		no data
💼 FedRAMP High Security Controls → 💼 AU-6(5) Integrated Analysis of Audit Records (H)			4		no data
💼 FedRAMP High Security Controls → 💼 AU-7(1) Automatic Processing (M)(H)			4		no data
💼 FedRAMP High Security Controls → 💼 AU-10 Non-repudiation (H)			16		no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		74		no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		28		no data
💼 FedRAMP High Security Controls → 💼 SI-4(5) System-generated Alerts (M)(H)			4		no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		49	57		no data
💼 FedRAMP Low Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			27		no data
💼 FedRAMP Low Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)			24		no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			74		no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		28		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			23		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			32		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			27		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		39		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6(1) Automated Process Integration (M)(H)			6		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			17		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-7(1) Automatic Processing (M)(H)			4		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			74		no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		28		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-4(5) System-generated Alerts (M)(H)			4		no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			51		no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			66		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			185		no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			28		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			105		no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			51		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			182		no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			47		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			62		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			62		no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			47		no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			50		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(4) Account Management _ Automated Audit Actions		15	23		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions			18		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		17	25		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-2 Event Logging	4		27		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3 Content of Audit Records	3	15	39		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(1) Audit Record Review, Analysis, and Reporting _ Automated Process Integration		2	6		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(5) Audit Record Review, Analysis, and Reporting _ Integrated Analysis of Audit Records			4		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-7(1) Audit Record Reduction and Report Generation _ Automatic Processing		2	4		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-9(7) Protection of Audit Information _ Store on Component with Different Operating System			2		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-10 Non-repudiation	5		16		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	48	74		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		28		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			35		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands			13		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(5) System Monitoring _ System-generated Alerts			4		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(20) System Monitoring _ Privileged Users			12		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-20 Tainting			4		no data
💼 PCI DSS v3.2.1 → 💼 10.2 Implement automated audit trails for all system components.	7	6	33		no data
💼 PCI DSS v3.2.1 → 💼 10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter.			3		no data
💼 PCI DSS v3.2.1 → 💼 10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.			3		no data
💼 PCI DSS v3.2.1 → 💼 10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment.			9		no data
💼 PCI DSS v4.0.1 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7		32		no data
💼 PCI DSS v4.0.1 → 💼 10.3.3 Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.			3		no data
💼 PCI DSS v4.0.1 → 💼 10.4.2 Logs of all other system components are reviewed periodically.	1		9		no data
💼 PCI DSS v4.0 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7	1	32		no data
💼 PCI DSS v4.0 → 💼 10.3.3 Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.			3		no data
💼 PCI DSS v4.0 → 💼 10.4.2 Logs of all other system components are reviewed periodically.	1		9		no data