Ensure CloudWatch logging is enabled for Amazon Relational Database Service (Amazon RDS) instances

MEDIUM

Description

Amazon CloudWatch can be used to monitor metrics from an RDS instance. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/monitoring-cloudwatch.html

Remediation

In AWS Console -

  1. Sign in to the AWS Console and go to the AWS RDS Console.
  2. In the RDS Dashboard, click on Databases.
  3. Select Modify to modify the instance of your choice.
  4. From the Log exports section, select the log types that you want to publish.

In Terraform -

  1. In the aws_db_instance, configure an enabled_cloudwatch_logs_exports list.
  2. There are several log types that can be included, but each is dependent on the database engine. For specific field options, see the Terraform documentation.

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#enabled_cloudwatch_logs_exports

Policy Details

Rule Reference ID: AC_AWS_0064
CSP: AWS
Remediation Available: Yes
Resource: aws_db_instance
Resource Category: Database
Resource Type: DB Instance

Frameworks