Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Ensure that your Amazon RDS database instances have Log Exports feature enabled in order to publish database log events directly to AWS CloudWatch Logs. By publishing database logs to Amazon CloudWatch, you can build richer and more seamless interactions with your database instance logs using AWS services. Log Exports is supported by AWS RDS MySQL, Aurora (with MySQL compatibility) and MariaDB database engines. Cloud Conformity strongly recommends that you select all the log types available for publishing to AWS CloudWatch Logs when enabling the feature. The Log Exports feature supports the following log types:
Error log – collects diagnostic messages generated by the database engine, together with startup and shutdown times.
General query log – contains a record of all SQL statements received from clients, plus the client connect and disconnect times.
Slow query log – contains a record of SQL statements that took longer than expected to execute and examined more than a defined number of rows (both thresholds are configurable).
Audit log – records database activity on the instance for audit purposes.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Security
Reliability
Performance
OperationalOnce the Log Exports feature is enabled, Amazon RDS sends general, slow query, audit and error logs from your MySQL, Aurora and MariaDB databases to AWS CloudWatch Logs. Broadcasting these logs to CloudWatch allows you to maintain continuous visibility into database activity, query performance and errors within your RDS database instances. For example, you can set up AWS CloudWatch alarms to notify on frequent restarts which are recorded in the error log or alarms for events recorded in the audit logs that can alert on unwanted changes made to your databases. You can also create Amazon CloudWatch alarms to monitor the slow query log and enable timely detection of long-running SQL queries. Additionally, you can use CloudWatch Logs to perform impromptu searches across multiple logs published by RDS Log Exports – this capability is particularly useful for troubleshooting, audits and log analysis.
To determine if your Amazon RDS MySQL, Aurora and MariaDB database instances are using Log Exports feature to publish database logs to AWS CloudWatch, perform the following:
01 Sign in to AWS Management Console.
02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.
03 In the left navigation panel, under Amazon RDS, click Instances.
04 Select the RDS database instance that you want to examine. The selected instance must have the database engine, available in the Engine column, set to MySQL, Aurora or MariaDB.
05 Click the Instance Actions button from the dashboard top menu and select Modify.
06 Within Log exports configuration panel, check the log types (i.e. Audit log, Error log, General log, Slow query log) checkboxes. If none of these checkboxes are selected, i.e.
the Log Exports feature is not enabled for the selected RDS database instance as Amazon RDS does not publish the instance's general, slow query, audit and error logs to AWS CloudWatch Logs.
07 Repeat steps no. 4 – 6 to verify the Log Exports feature status for other AWS RDS instances provisioned in the current region.
08 Change the AWS region from the navigation bar and repeat the process for other regions.
To enable Log Exports feature for your existing Amazon RDS database instances, perform the following actions:
Unlock the Remediation Steps
Gain free unlimited access to our full Knowledge Base
Over 600 rules & best practices for 
and 
Get started for FREE
Thank you!
Please click the link in the confirmation email sent to
You are auditing:
Enable RDS Log Exports
Risk level: Low
|