Logo of Trend Micro

Enable RDS Log Exports

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: RDS-033

Ensure that your Amazon RDS database instances have Log Exports feature enabled in order to publish database log events directly to AWS CloudWatch Logs. By publishing database logs to Amazon CloudWatch, you can build richer and more seamless interactions with your database instance logs using AWS services. Log Exports is supported by AWS RDS MySQL, Aurora (with MySQL compatibility) and MariaDB database engines. Cloud Conformity strongly recommends that you select all the log types available for publishing to AWS CloudWatch Logs when enabling the feature. The Log Exports feature supports the following log types:

Error log – collects diagnostic messages generated by the database engine, together with startup and shutdown times.

General query log – contains a record of all SQL statements received from clients, plus the client connect and disconnect times.

Slow query log – contains a record of SQL statements that took longer than expected to execute and examined more than a defined number of rows (both thresholds are configurable).

Audit log – records database activity on the instance for audit purposes.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security
Reliability
Performance
efficiency
Operational
excellence

Once the Log Exports feature is enabled, Amazon RDS sends general, slow query, audit and error logs from your MySQL, Aurora and MariaDB databases to AWS CloudWatch Logs. Broadcasting these logs to CloudWatch allows you to maintain continuous visibility into database activity, query performance and errors within your RDS database instances. For example, you can set up AWS CloudWatch alarms to notify on frequent restarts which are recorded in the error log or alarms for events recorded in the audit logs that can alert on unwanted changes made to your databases. You can also create Amazon CloudWatch alarms to monitor the slow query log and enable timely detection of long-running SQL queries. Additionally, you can use CloudWatch Logs to perform impromptu searches across multiple logs published by RDS Log Exports – this capability is particularly useful for troubleshooting, audits and log analysis.

Audit

To determine if your Amazon RDS MySQL, Aurora and MariaDB database instances are using Log Exports feature to publish database logs to AWS CloudWatch, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Instances.

04 Select the RDS database instance that you want to examine. The selected instance must have the database engine, available in the Engine column, set to MySQL, Aurora or MariaDB.

05 Click the Instance Actions button from the dashboard top menu and select Modify.

06 Within Log exports configuration panel, check the log types (i.e. Audit log, Error log, General log, Slow query log) checkboxes. If none of these checkboxes are selected, i.e.

Log Exports

the Log Exports feature is not enabled for the selected RDS database instance as Amazon RDS does not publish the instance's general, slow query, audit and error logs to AWS CloudWatch Logs.

07 Repeat steps no. 4 – 6 to verify the Log Exports feature status for other AWS RDS instances provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) using custom query filters to list the names of all RDS MySQL, Aurora and MariaDB database instances available in the selected AWS region: 

aws rds describe-db-instances
	--region us-east-1
	--output table
	--query 'DBInstances[?Engine==`mysql` || Engine==`aurora` || Engine==`aurora-mysql` || Engine==`mariadb`].DBInstanceIdentifier | []'

02 The command output should return a table with the requested RDS names: 

---------------------------
|   DescribeDBInstances   |
+-------------------------+
|  cc-mariadb-database    |
|  cc-aurora-mysql-db     |
|  cc-aurora-database     |
+-------------------------+

03 Run describe-db-instances command (OSX/Linux/UNIX) using the name of the database instance that you want to examine as identifier and custom query filters to get the list of log types that the selected database instance is configured to export to AWS CloudWatch Logs: 

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier cc-mariadb-database
	--query 'DBInstances[*].EnabledCloudwatchLogsExports'

04 The command output should return an array that contains the log types configured to export to CloudWatch Logs: 

[]

If the describe-db-instances command output returns an empty array, as shown in the output example above, Amazon RDS does not publish the general, slow query, audit and error logs of the instance to AWS CloudWatch Logs, therefore the Log Exports feature is not enabled for the selected RDS database instance.

05 Repeat step no. 3 and 4 to check the Log Exports feature status for other AWS RDS instances available within the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Log Exports feature for your existing Amazon RDS database instances, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Instances.

04 Select the RDS database instance that you want to reconfigure (see Audit section part I to identify the right RDS resource).

05 Click the Instance Actions button from the dashboard top menu and select Modify.

06 On the Modify DB Instance: <instance-identifier> page, in the Log exports configuration section, select all the log types available, i.e. Audit log, Error log, General log and Slow query log) to enable Log Exports feature for the selected RDS database instance.

07 Click Continue to continue the process.

08 Within Summary of modifications section, carefully review the configuration changes that you want to apply to the instance.

09 In the Scheduling of modifications section, perform one of the following actions based on your requirements:

  1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
  2. Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window setting for this RDS database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your application.

10 Click Modify DB Instance to save your configuration changes.

11 Repeat steps no. 4 – 10 to enable RDS Log Exports for other database instances available in the current region.

12 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run modify-db-instance command (OSX/Linux/UNIX) to enable Log Exports feature for the selected RDS database instance (see Audit section part II to identify the right database) by adding the --cloudwatch-logs-export-configuration parameter to the command request. This parameter specifies the configuration setting for the log types to be enabled for export to AWS CloudWatch Logs. The following command example make use of --apply-immediately parameter to apply the configuration changes asynchronously, as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your application. If you skip adding the --apply-immediately parameter to the command request, Amazon RDS service will apply your changes during the next maintenance window: 

aws rds modify-db-instance
	--region us-east-1
	--db-instance-identifier cc-mariadb-database
	--cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit","error","general","slowquery"]}'
	--apply-immediately

02 The command output should return the new configuration metadata for the modified RDS database instance: 

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "Engine": "mariadb",
        "MultiAZ": false,
        "LatestRestorableTime": "2018-10-11T14:35:11Z",
        "PerformanceInsightsEnabled": false,
        "AutoMinorVersionUpgrade": true,
        "PreferredBackupWindow": "11:30-12:00",
        "AllocatedStorage": 150,
        "BackupRetentionPeriod": 3,
        "PreferredMaintenanceWindow": "fri:09:30-fri:10:00",
        "DBInstanceStatus": "available",
        "StorageType": "gp2",

        ...

	  "PendingModifiedValues": {
            "PendingCloudwatchLogsExports": {
                "LogTypesToEnable": [
                    "audit",
                    "error",
                    "general",
                    "slowquery"
                ]
            }
        },
        "DeletionProtection": true,
        "AvailabilityZone": "us-east-1a",
        "DBInstanceIdentifier": "cc-mariadb-database"
    }
}

03 Repeat step no. 1 and 2 to enable Amazon RDS Log Exports for other database instances available within the current region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Oct 29, 2018

Related RDS rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable RDS Log Exports

Risk level: Low