Description

This policy identifies AWS RDS Clusters that are not configured to export database logs to Amazon CloudWatch Logs. Enabling log exports ensures that database activity and operational events are captured and centrally stored for ongoing monitoring, analysis, and audit purposes.

Rationale

Exporting database logs to Amazon CloudWatch Logs is critical for maintaining operational visibility and meeting security and compliance requirements. Logs stored locally on an RDS cluster are transient and may be lost during maintenance operations, cluster restarts, or unexpected failures. By contrast, CloudWatch Logs provides durable, centralized storage that preserves historical log data for auditing and forensic analysis.

Once logs are available in CloudWatch Logs, organizations can create metric filters and alarms to detect significant events, such as repeated connection failures, unauthorized access attempts, or performance issues including slow-running queries. CloudWatch Logs Insights further enhances visibility by enabling efficient querying and analysis of log data across multiple RDS clusters, improving troubleshooting and incident response capabilities.

Database audit logs are especially important for tracking changes to data access patterns and database schema modifications, supporting regulatory compliance and internal governance requirements.

Impact

Enabling log exports to CloudWatch Logs may result in additional AWS costs. Charges may apply for log ingestion, storage, and retention, depending on the volume of logs generated and the configured retention period.

To manage costs effectively, enable only the required log types and define appropriate log retention policies that balance operational visibility with cost considerations.

Audit

This policy flags an AWS RDS Cluster as INCOMPLIANT when the Enabled CloudWatch Logs Exports field is empty.