Amazon RDS
      Back to home
      1. Knowledge Base
      2. AWS Knowledge Base
      3. Amazon RDS

      RDS Logging Disabled

      Risk Level: MEDIUM

      Description:

      This plugin guarantees that RDS instances have logging enabled. Teams can investigate events at the database level for diagnostics and audit tracking for compliance purposes by logging database level events.


      Recommended Action: Modify the RDS instance to enable logging as required.

      About the Service :

      Amazon RDS (Amazon Relational Database Service) makes it simple to set up, run, and scale a relational database in the cloud. It offers scalable capacity at a low cost while automating time-consuming administrative activities including hardware provisioning, database setup, patching, and backups. 

      Impact: 

      If the Log Exports feature is disabled for your RDS database instance, Amazon RDS will not publish the instance's general, slow query, audit and error logs to AWS CloudWatch Logs.

      Steps to reproduce :

      1. .Sign in to your AWS management console.
      2. Navigate to the RDS dashboard at: https://console.aws.amazon.com/rds/
      3. On the left navigation panel, under RDS Dashboard, select Databases.
      4. Select the RDS instance that you want to examine.
      5. Click on Modify.
      6. On the Modify DB Instance page that appears, scroll down to Additional Configurations. 
      7. Under Log Exports, check the “ Log Type “ selected (i.e. Audit log, Error log, General log, Slow query log).
      8. If none of them is selected the Log Exports feature is not enabled for the selected RDS database instance.
      9. Repeat steps no. 4 – 8 for each RDS instance provisioned in the current region as well as in other AWS regions.

      Steps for remediation :

      1. .Sign in to your AWS management console.
      2. Navigate to the RDS dashboard at: https://console.aws.amazon.com/rds/
      3. On the left navigation panel, under RDS Dashboard, select Databases.
      4. Select the RDS instance that you want to reconfigure.
      5. Click on Modify.
      6. On the Modify DB Instance page that appears, scroll down to Additional Configurations. 
      7. Under Log Exports, select all the log types mentioned(i.e. Audit log, Error log, General log, Slow query log) and click Continue.
      8. In the Scheduling of modifications section, based on your requirement, select from either of the following:
      1. Apply during the next scheduled maintenance window.
      2. Apply immediately.


      Click Modify DB Instance to save your configuration changes.


      Repeat steps no. 4 – 10 for each RDS instance that you want to reconfigure provisioned in the current region as well as in other AWS regions.




      References: