Database Logging Rule
A rule stating that database logging should be enabled for security purposes.
| Rule | Database logging should be enabled |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Enable Database Logging for AWS Foundational Security Best Practices
Rule Description:
Enabling database logging is an essential security best practice for AWS resources. This rule ensures that database logging is enabled in order to monitor and analyze database activity, and to detect any suspicious or unauthorized activities that may pose a security risk.
Troubleshooting Steps:
If database logging is not enabled or encountering issues, follow these troubleshooting steps:
- 1.Verify IAM permissions: Ensure that the user or role used to enable database logging has the necessary IAM permissions to modify the database settings.
- 2.Check if the database engine supports logging: Some database engines may not support built-in logging. Verify if the selected database engine supports logging and if any specific configuration is required.
- 3.Review CloudWatch Logs configuration: Ensure that the necessary CloudWatch Logs configuration is properly set up for the database. Check if the CloudWatch Logs group and log stream are correctly specified.
- 4.Verify database connectivity: Ensure that the database can establish a connection to AWS services, including CloudWatch Logs and IAM roles, to deliver log data to the specified CloudWatch Logs group.
Necessary Code:
Depending on the database engine being used, there may be specific code snippets required to enable database logging. Below are examples for some popular database engines:
Amazon RDS for MySQL:
To enable database logging for Amazon RDS MySQL databases, run the following SQL command:
CALL mysql.rds_set_configuration('general_log', '1');
Amazon RDS for PostgreSQL:
To enable database logging for Amazon RDS PostgreSQL databases, update the PostgreSQL configuration file (
postgresql.conflogging_collectoronAmazon Aurora:
To enable database logging for Amazon Aurora MySQL or PostgreSQL databases, follow the instructions provided for their respective database engines (MySQL or PostgreSQL).
Please refer to the AWS documentation for the database engine you are using for the most up-to-date instructions on enabling database logging.
Step-by-Step Guide for Remediation:
- 1.Identify the database engine you are using (e.g., Amazon RDS for MySQL, PostgreSQL, or Amazon Aurora).
- 2.Ensure that you have sufficient IAM permissions to modify database settings.
- 3.Open the AWS Management Console and navigate to the AWS RDS service.
- 4.Select the relevant database instance that needs database logging enabled.
- 5.Click on "Actions" and choose "Modify" to modify the settings of the database instance.
- 6.Scroll down to the "Database options" section.
- 7.Look for the "Database Log Exports to CloudWatch" option and ensure it is enabled.
- 8.Specify the appropriate CloudWatch Logs group and log stream for the database logs.
- 9.Save the changes by clicking "Apply immediately" or "Apply during the next maintenance window" based on your preference.
- 10.Verify that the changes are successfully applied by checking the database instance details or CloudWatch Logs for incoming logs.
By following these steps, you will successfully enable database logging for your AWS resources, ensuring compliance with the AWS Foundational Security Best Practices.