Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Serverless Log Exports

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)

Ensure that your Amazon Aurora Serverless database clusters (MySQL-compatible edition) have Log Exports feature enabled in order to publish general logs, slow query logs, audit logs and error logs directly to AWS CloudWatch. Aurora Serverless is an auto-scaling configuration for Amazon Aurora where the database will automatically start up, shut down and scale capacity up or down based on your workload. Aurora Serverless Log Exports feature supports the following log types:

Error log – contains diagnostic messages generated by the Aurora database engine, together with startup and shutdown times.

General query log – contains a record of all SQL statements received from clients, plus the client connect and disconnect times.

Slow query log – contains a record of SQL statements that took longer than expected to execute.

Audit log – contains Aurora database activity events such as successful and failed authentication attempts, necessary for audit purposes.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

Security
Reliability
Performance
efficiency
Operational
excellence

As soon as the Log Exports feature is enabled, Amazon Aurora Serverless starts publishing general, slow query, audit and error logs logs from your Aurora databases to AWS CloudWatch Logs. By sending this type of logging data to Amazon CloudWatch service, you gain continuous visibility into database activity, query performance and errors occurred within your Aurora Serverless databases. To augment the feature's functionality, you can set up CloudWatch alarms to notify you on frequent restarts which are recorded in the error log, or alarms for events recorded in the audit logs that can alert on unwanted changes made to your Aurora databases. You can also create AWS CloudWatch alarms to monitor the slow query log and enable timely detection of long-running SQL queries. Additionally, you can use Amazon CloudWatch Logs to perform random searches across multiple logs published by Aurora Serverless Log Exports – this capability is particularly useful for troubleshooting and compliance auditing.


Audit

To determine if your Amazon Aurora MySQL-compatible database clusters are using the Backtrack feature, perform the following actions:

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) using custom query filters to list the names of all Aurora Serverless clusters available in the selected AWS region:

aws rds describe-db-clusters
	--region us-east-1
	--output table
	--query 'DBClusters[?Engine==`aurora` && EngineMode==`serverless`].DBClusterIdentifier | []'

02 The command output should return a table with the requested resource names:

------------------------
|  DescribeDBClusters  |
+----------------------+
|  cc-serverless-db    |
|  cc-aurora-mysql-db  |
+----------------------+

03 Execute again describe-db-instances command (OSX/Linux/UNIX) using the name of the serverless database cluster that you want to examine as identifier and custom query filters to get the list of log types that the selected cluster is configured to export to Amazon CloudWatch service:

aws rds describe-db-clusters
	--region us-east-1
	--db-cluster-identifier cc-serverless-db
	--query 'DBClusters[*].EnabledCloudwatchLogsExports'

04 The command output should return an array that contains the log types configured to publish to AWS CloudWatch Logs:

[]

If the command output returns an empty array, as shown in the example above, Amazon Aurora Serverless does not publish general, slow query, audit and error logs from the selected database cluster to AWS CloudWatch Logs, therefore the Log Exports feature is not currently enabled.

05 Repeat step no. 3 and 4 to check the Log Exports feature status for other Aurora Serverless clusters available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Log Exports feature for your existing Amazon Aurora Serverless database clusters, perform the following instructions:

Note: Enabling Aurora Serverless Log Exports feature using AWS Management Console is not currently supported.

Using AWS CLI

01 Run modify-db-cluster command (OSX/Linux/UNIX) to enable Log Exports feature for the selected Amazon Aurora Serverless database cluster (see Audit section part II to identify the right resource) by adding the --cloudwatch-logs-export-configuration parameter to the command request. This parameter specifies the configuration setting for the log types to be enabled for export to AWS CloudWatch Logs. Cloud Conformity strongly recommends that you select all the existing log types (i.e. general, slow query, audit and error) when enabling the feature. The following command example make use of --apply-immediately parameter to apply the configuration changes asynchronously, as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your Aurora Serverless application. If you skip adding the --apply-immediately parameter to the command request, Amazon Aurora will apply your changes during the next maintenance window:

aws rds modify-db-cluster
	--region us-east-1
	--db-cluster-identifier cc-serverless-db
	--cloudwatch-logs-export-configuration EnableLogTypes="audit","error","general","slowquery"
	--apply-immediately

02 The command output should return the new configuration metadata for the modified database cluster:

{
    "DBCluster": {
        "EngineMode": "serverless",
        "Status": "available",
        "MultiAZ": false,
        "LatestRestorableTime": "2019-03-12T18:27:28.272Z",
        "PreferredBackupWindow": "05:07-05:37",
        "DBSubnetGroup": "default",
        "BackupRetentionPeriod": 7,
        "PreferredMaintenanceWindow": "mon:06:28-mon:06:58",
        "Engine": "aurora",
        "EarliestRestorableTime": "2019-03-12T18:21:43.446Z",
        "IAMDatabaseAuthenticationEnabled": false,
        "ClusterCreateTime": "2019-03-12T18:21:00.475Z",
        "EngineVersion": "5.6.10a",

        ...

        "EnabledCloudwatchLogsExports": [
            "audit",
            "error",
            "general",
            "slowquery"
        ],

        ...

        "DBClusterIdentifier": "cc-serverless-db",
        "DbClusterResourceId": "cluster-AAAABBBBCCCCDDDDAAAABBBBCD",
        "DBClusterMembers": [],
        "DBClusterArn": "arn:aws:rds:us-east-1:123456789012:cluster:cc-serverless-db",
        "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234",
        "StorageEncrypted": true,
        "AssociatedRoles": [],
        "DBClusterParameterGroup": "default.aurora5.6",
        "AvailabilityZones": [
            "us-east-1a",
            "us-east-1b",
            "us-east-1e"
        ],
        "Port": 3306
    }
}

03 Repeat step no. 1 and 2 to enable Log Exports feature for other Amazon Aurora Serverless database clusters available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Mar 16, 2019