Ensure that your Amazon RDS database instances have Log Exports feature enabled in order to publish database log events directly to AWS CloudWatch Logs. By publishing database logs to Amazon CloudWatch, you can build richer and more seamless interactions with your database instance logs using AWS services. Log Exports is supported by AWS RDS MySQL, Aurora (with MySQL compatibility) and MariaDB database engines. Cloud Conformity strongly recommends that you select all the log types available for publishing to AWS CloudWatch Logs when enabling the feature. The Log Exports feature supports the following log types:
Error log – collects diagnostic messages generated by the database engine, together with startup and shutdown times.
General query log – contains a record of all SQL statements received from clients, plus the client connect and disconnect times.
Slow query log – contains a record of SQL statements that took longer than expected to execute and examined more than a defined number of rows (both thresholds are configurable).
Audit log – records database activity on the instance for audit purposes.
This rule can help you with the following compliance standards:
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Once the Log Exports feature is enabled, Amazon RDS sends general, slow query, audit and error logs from your MySQL, Aurora and MariaDB databases to AWS CloudWatch Logs. Broadcasting these logs to CloudWatch allows you to maintain continuous visibility into database activity, query performance and errors within your RDS database instances. For example, you can set up AWS CloudWatch alarms to notify on frequent restarts which are recorded in the error log or alarms for events recorded in the audit logs that can alert on unwanted changes made to your databases. You can also create Amazon CloudWatch alarms to monitor the slow query log and enable timely detection of long-running SQL queries. Additionally, you can use CloudWatch Logs to perform impromptu searches across multiple logs published by RDS Log Exports – this capability is particularly useful for troubleshooting, audits and log analysis.
To determine if your Amazon RDS MySQL, Aurora and MariaDB database instances are using Log Exports feature to publish database logs to AWS CloudWatch, perform the following:
Remediation / Resolution
To enable Log Exports feature for your existing Amazon RDS database instances, perform the following actions:
- AWS Documentation
- Amazon RDS FAQs
- Now Publish Log Files from Amazon RDS for MySQL and MariaDB to Amazon CloudWatch Logs
- Monitor Amazon Aurora MySQL, Amazon RDS for MySQL and MariaDB logs with Amazon CloudWatch
- Amazon RDS Database Log Files
- MariaDB Database Log Files
- MySQL Database Log Files
- Modifying an Amazon RDS DB Instance and Using the Apply Immediately Parameter
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable RDS Log Exports
Risk level: Low