Remediation
Enable CloudWatch Log Exports
To ensure database logs are retained and available for centralized monitoring, troubleshooting, and auditing, configure AWS RDS clusters to export supported database log types to Amazon CloudWatch Logs. Exported logs provide durable storage and enable security monitoring, operational analysis, and compliance reporting.
CloudWatch log exports are enabled at the cluster level by updating the DB cluster configuration with the --cloudwatch-logs-export-configuration parameter. The specific log types that can be exported depend on the database engine and engine version.
From Command Line
Aurora MySQL
Enable export of error, general, slow query, audit, and instance logs:
aws rds modify-db-cluster \
--db-cluster-identifier mydbcluster \
--cloudwatch-logs-export-configuration '{"EnableLogTypes":["error","general","slowquery","audit","instance"]}'
Aurora PostgreSQL
Enable export of PostgreSQL engine and instance logs:
aws rds modify-db-cluster \
--db-cluster-identifier my-db-cluster \
--cloudwatch-logs-export-configuration '{"EnableLogTypes":["postgresql","instance"]}'
Amazon Neptune
Enable export of audit logs:
aws neptune modify-db-cluster \
--region us-east-1 \
--db-cluster-identifier my_db_cluster_id \
--cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'
Amazon DocumentDB
Enable export of audit logs:
aws docdb modify-db-cluster \
--db-cluster-identifier sample-cluster \
--cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'
Considerations
- Supported log types vary by database engine and engine version. Verify available log types before enabling exports.
- Once enabled, logs are continuously streamed to Amazon CloudWatch Logs and retained according to the configured retention policy.
- Additional AWS charges may apply for log ingestion, storage, and retention based on log volume.