[RDS.9]
Database logging should be enabled
Description
RDS databases should have logs enabled and sent to CloudWatch Logs. Database logs help with security and access audits as they provide detailed record of requests received by the RDS database. This rule is COMPLIANT when a database has logging enabled.
Details
| Property | Value |
|---|---|
| Category | Identify > Logging |
| Compliance Control ID | RDS.9 |
| FortifyFox ID | FF100037 |
| Link | RDS.9 Compliance |
| Resource Type(s) | AWS::RDS::DBInstance |
| Severity | Medium |
Remediation
Use the following CloudFormation templates to deploy an RDS DB compliant with RDS.9
YAML Template
Resources:
rdsDB:
Type: "AWS::RDS::DBInstance"
Properties:
EnableCloudwatchLogsExports: LIST_OF_LOGS
JSON Template
{
"Resources": {
"rdsDB": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"EnableCloudwatchLogsExports": "LIST_OF_LOGS"
}
}
}
}
You will need to replace LIST_OF_LOGS with one of the following lists. The list of logs you need to enable depend on the type of database and are as follows:
Oracle: ["alert", "audit", "trace", "listener"]
PostgreSQL: ["postgresql", "upgrade"]
MySQL: ["audit", "error", "general", "slowquery"]
MariaDB: ["audit", "error", "general", "slowquery"]
SQL Server: ["error", "agent"]
Aurora: ["audit", "error", "general", "slowquery"]
Aurora-MySQL: ["audit", "error", "general", "slowquery"]
Aurora-PostgreSQL: ["postgresql", "upgrade"]