🛡️ AWS RDS Instance database logging is not enabled🟢

• Contextual name: 🛡️ Instance database logging is not enabled🟢
• ID: /ce/ca/aws/rds/instance-cloudwatch-logs-export
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS RDS Instance
  • 🔌 AWS RDS Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [RDS.9] RDS DB instances should publish logs to CloudWatch Logs
• AWS Security Hub: [RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs
• AWS Security Hub: [RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs
• AWS Security Hub: [RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs

Description

Open File

Description

This policy identifies standalone AWS RDS Instances that are not configured to export database logs to Amazon CloudWatch Logs. It applies to supported database engines, including MariaDB, MySQL, PostgreSQL, Oracle, and SQL Server. Enabling log exports ensures that relevant database activity and operational events are captured and centrally stored for monitoring and analysis.

Rationale

Exporting database logs to Amazon CloudWatch Logs is essential for maintaining operational visibility and supporting security and compliance requirements. Logs stored locally on an RDS instance are transient and may be lost during maintenance activities, instance restarts, or unexpected failures. CloudWatch Logs provides durable, centralized log storage that preserves historical data for analysis and auditing.

Once logs are available in CloudWatch, organizations can create metric filters and alarms to detect notable events such as repeated connection failures, unauthorized access attempts, or performance issues like slow queries. Additionally, CloudWatch Logs Insights enables efficient searching and analysis of log data across multiple RDS instances, improving troubleshooting and incident response.

... see more

Remediation

Open File

Remediation

Enable CloudWatch Log Exports

To ensure database logs are retained and available for monitoring and auditing, configure AWS RDS Instances to export supported log types to Amazon CloudWatch Logs. The available log types depend on the database engine and engine version.

To enable CloudWatch log exports for an RDS instance, update the instance configuration using the --cloudwatch-logs-export-configuration parameter. This parameter specifies which database log types are sent to Amazon CloudWatch Logs.

Note: Changes to --cloudwatch-logs-export-configuration are applied immediately by AWS. The --apply-immediately or --no-apply-immediately options have no effect on this modification.

From Command Line

MariaDB

Enable export of MariaDB error, general, slowquery, and audit logs:

aws rds modify-db-instance \
    --region {{region}} \
    --db-instance-identifier {{instance-id}} \
    --cloudwatch-logs-export-configuration '{"EnableLogTypes":["error","general","slowquery","audit"]}'

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.9] RDS DB instances should publish logs to CloudWatch Logs			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs			1		no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			78		no data
💼 FedRAMP High Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			23		no data
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		8	32		no data
💼 FedRAMP High Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			27		no data
💼 FedRAMP High Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		39		no data
💼 FedRAMP High Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			17		no data
💼 FedRAMP High Security Controls → 💼 AU-6(4) Central Review and Analysis (H)			17		no data
💼 FedRAMP High Security Controls → 💼 AU-10 Non-repudiation (H)			16		no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		74		no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		28		no data
💼 FedRAMP High Security Controls → 💼 SC-7(10) Prevent Exfiltration (H)			18		no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		49	57		no data
💼 FedRAMP Low Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			27		no data
💼 FedRAMP Low Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)			24		no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			74		no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		28		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			23		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			32		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			27		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		39		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			17		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			74		no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		28		no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			51		no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			66		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			185		no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			28		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			105		no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			51		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			182		no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			47		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			62		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			62		no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			47		no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			50		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(4) Account Management _ Automated Audit Actions		15	23		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions			18		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		17	25		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-2 Event Logging	4		27		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3 Content of Audit Records	3	15	39		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-10 Non-repudiation	5		16		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	48	74		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		28		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			35		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(10) Boundary Protection _ Prevent Exfiltration			18		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands			13		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(20) System Monitoring _ Privileged Users			12		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events			17		no data
💼 PCI DSS v3.2.1 → 💼 10.2 Implement automated audit trails for all system components.	7	6	33		no data
💼 PCI DSS v3.2.1 → 💼 10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment.			9		no data
💼 PCI DSS v4.0.1 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7		32		no data
💼 PCI DSS v4.0.1 → 💼 10.4.2 Logs of all other system components are reviewed periodically.	1		9		no data
💼 PCI DSS v4.0 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7	1	32		no data
💼 PCI DSS v4.0 → 💼 10.4.2 Logs of all other system components are reviewed periodically.	1		9		no data