Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Aurora Database Cluster Activity Streams

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon Aurora database activity is monitored with the Database Activity Streams feature. Database Activity Streams provide a near real-time stream of the activity in your Amazon Aurora relational database which is extremely helpful for monitoring and auditing purposes. To enable the feature, you can start an activity stream at the Aurora cluster level to monitor database activity for all database instances within the cluster. Once started, the activity stream is pushed from Aurora to an Amazon Kinesis data stream that is created on behalf of your Aurora database cluster. From Kinesis, AWS cloud services such as Amazon Kinesis Data Firehose and Amazon Lambda can consume the activity stream.

Security

Monitoring your Amazon Aurora database activity can help you provide safeguards for your databases and help to meet compliance and regulatory requirements. Beyond external security threats, Aurora managed databases need to protect against insider risks from database administrators (DBAs). Database Activity Streams can help you protect your Amazon Aurora databases from internal threats by controlling DBA access to the activity streams. Therefore, the collection, transmission, storage, and subsequent processing of the activity streams is beyond the access of the DBAs that manage the database.


Audit

To determine if your Amazon Aurora database clusters are configured to use database activity streams, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Databases.

04 Click on the name (link) of the Aurora database cluster that you want to examine. To identify Aurora database clusters, check the database engine type available in the Engine column (i.e. Aurora MySQL or Aurora PostgreSQL).

05 Select the Configuration tab and check the Database activity stream configuration status. If the Database activity stream status is set to Stopped, the selected Amazon Aurora database cluster is not configured to use a database activity stream for real-time monitoring.

06 Repeat steps no. 4 and 5 for each Amazon Aurora database cluster available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) using custom query filters to list the names of all the Aurora database clusters available in the selected AWS region:

aws rds describe-db-clusters
  --region us-east-1
  --output table
  --query 'DBClusters[?Engine==`aurora-mysql` || Engine==`aurora-postgresql`].DBClusterIdentifier | []'

02 The command output should return a table with the requested Aurora clusters:

--------------------------------
|      DescribeDBClusters      |
+------------------------------+
|  cc-aurora-postgres-cluster  |
|  cc-aurora-mysql-cluster     |
+------------------------------+

03 Execute describe-db-clusters command (OSX/Linux/UNIX) using the name of the Aurora database cluster that you want to examine as the identifier parameter and custom query filters to describe the Database Activity Stream feature status available for the selected database cluster:

aws rds describe-db-clusters
  --region us-east-1
  --db-cluster-identifier cc-aurora-postgres-cluster
  --query 'DBClusters[*].ActivityStreamStatus'

04 The command output should return the operational status of the requested feature:

[
	"stopped"
]

If the describe-db-clusters command output returns "stopped", as shown in the output example above, the selected Amazon Aurora database cluster is not configured to use a database activity stream for real-time monitoring.

05 Repeat steps no. 3 and 4 for each Amazon Aurora database cluster available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To configure your Amazon Aurora database clusters to start activity streams for all database clusters, perform the following operations:

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}
	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_kms_key" "kms-key" {
	is_enabled  = true
	key_usage   = "ENCRYPT_DECRYPT"
	description = "Amazon KMS Customer Managed Key"
}

resource "aws_rds_cluster" "rds-cluster" {
	cluster_identifier = "cc-aurora-db-cluster"
	engine             = "aurora-mysql"
	engine_version     = "5.7.mysql_aurora.2.10.5"
	availability_zones = ["us-east-1a", "us-east-1b"]
	database_name      = "[db-name]"
	master_username    = "[db-user]"
	master_password    = "[db-password]"
}

resource "aws_rds_cluster_instance" "rds-cluster-nodes" {
	count              = 2
	identifier         = "cc-aurora-db-cluster-${count.index}"
	cluster_identifier = aws_rds_cluster.rds-cluster.id
	engine             = aws_rds_cluster.rds-cluster.engine
	engine_version     = aws_rds_cluster.rds-cluster.engine_version
	instance_class     = "db.m5d.large"
}


# Enable Aurora Database Cluster Activity Streams
resource "aws_rds_cluster_activity_stream" "rds-db-activity-stream" {
	resource_arn = aws_rds_cluster.rds-cluster.arn
	mode         = "async"
	kms_key_id   = "aws_kms_key.kms-key.arn"
	depends_on = [aws_rds_cluster_instance.rds-cluster-nodes]
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Before you can configure a database activity stream, you must create an Amazon KMS Customer Master Key (CMK) that will be used to encrypt the key that in turn encrypts the database activity logged. To create the necessary customer-managed Customer Master Key (CMK), navigate to the Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the navigation panel, under Key Management Service (KMS), choose Customer managed keys.

04 Select the appropriate AWS region from the navigation bar (must match the region where your Aurora database cluster was created).

05 Choose Create Key from the console top menu to initiate the setup process.

06 For Step 1 Configure key, choose Symmetric from the Key type section, and select KMS for the Key material origin, available in the Advanced options section. Choose Next to continue.

07 For Step 2 Add labels, provide a unique name (alias) and a short description for your new CMK, then use the Add tag button to create any required tag sets (optional). Choose Nextto continue the setup process.

08 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK through the Amazon KMS API. You may need to add additional permissions for the users or roles to administer the key from the AWS Management Console. Choose Next to continue.

09 For Step 4 Define key usage permissions, within the This account section, select which IAM users and/or roles can use the new Customer Master Key (CMK) for cryptographic operations. (Optional) In the Other AWS accounts section, choose Add another AWS account and enter an external account ID in order to specify another AWS account that can use this CMK to encrypt and decrypt your data. The owners of the external AWS accounts must also provide access to the new CMK by creating appropriate policies for their IAM users. Choose Next to continue the setup process.

10 For Step 5 Review, review the key policy, then choose Finish to create your new customer-managed Customer Master Key (CMK). Once the key is successfully created, the Amazon KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".

11 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

12 In the navigation panel, under Amazon RDS, choose Databases.

13 Select the Aurora database cluster that you want to reconfigure, choose Actions, and select Start database activity stream.

14 On the Database Activity Stream setup page, perform the following actions:

  1. Select the newly created Customer Master Key (CMK) from the Master key dropdown list.
  2. For Database activity stream mode, choose Asynchronous or Synchronous depending on your preferences. Asynchronous mode favors database performance over the accuracy of the activity stream, whereas the synchronous mode favors the accuracy of the activity stream over database performance.
  3. For Apply immediately, select whether to apply the changes immediately (asynchronously and as soon as possible) or apply them during the next scheduled maintenance window.
  4. Choose Continue to start a database activity stream for the selected Amazon Aurora cluster. The feature will start streaming now all the database activity to a Kinesis Data Stream (that is automatically created for you) for advanced monitoring and security. From Amazon Kinesis, you can monitor your Aurora database activity in real time. The activity stream's name in Kinesis includes the prefix aws-rds-das- followed by the database cluster's resource ID.

15 Repeat steps no. 13 and 14 to configure database activity streams for other Aurora database clusters available within the current AWS region.

16 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Before you can configure a database activity stream, you must create a customer-managed KMS Customer Master Key (CMK) that will be used to encrypt the key that in turn encrypts the logged database activity. Create a new policy document (JSON format), name the file activity-stream-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own cloud environment details):

{
	"Id": "aurora-activity-stream-cmk-policy",
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Enable IAM User Permissions",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123456789012:root"
			},
			"Action": "kms:*",
			"Resource": "*"
		},
		{
			"Sid": "Allow access for Key Administrators",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123456789012:role/AmazonRDSManager"
			},
			"Action": [
				"kms:Create*",
				"kms:Describe*",
				"kms:Enable*",
				"kms:List*",
				"kms:Put*",
				"kms:Update*",
				"kms:Revoke*",
				"kms:Disable*",
				"kms:Get*",
				"kms:Delete*",
				"kms:TagResource",
				"kms:UntagResource",
				"kms:ScheduleKeyDeletion",
				"kms:CancelKeyDeletion"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow use of the key",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123456789012:role/AmazonRDSAdmin"
			},
			"Action": [
				"kms:Encrypt",
				"kms:Decrypt",
				"kms:ReEncrypt*",
				"kms:GenerateDataKey*",
				"kms:DescribeKey"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow attachment of persistent resources",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123456789012:role/AmazonRDSAdmin"
			},
			"Action": [
				"kms:CreateGrant",
				"kms:ListGrants",
				"kms:RevokeGrant"
			],
			"Resource": "*",
			"Condition": {
				"Bool": {
					"kms:GrantIsForAWSResource": "true"
				}
			}
		}
	]
}

02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. activity-stream-cmk-policy.json) as value for the --policy command parameter, to create your new customer-managed Customer Master Key (CMK):

aws kms create-key
  --region us-east-1
  --description 'Amazon KMS CMK for Aurora Activity Stream'
  --policy file://activity-stream-cmk-policy.json
  --query 'KeyMetadata.Arn'

03 The command output should return the ARN of the new Customer Master Key (CMK):

"arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):

aws kms create-alias
  --region us-east-1
  --alias-name alias/ActivityStreamCMK
  --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd

05 Run describe-db-clusters command (OSX/Linux/UNIX) with custom query filters to describe the Amazon Resource Name (ARN) of the Aurora database cluster that you want to reconfigure:

aws rds describe-db-clusters
  --region us-east-1
  --db-cluster-identifier cc-aurora-postgres-cluster
  --query 'DBClusters[*].DBClusterArn'

06 The command output should return the requested Amazon Resource Name (ARN):

[
	"arn:aws:rds:us-east-1:123456789012:cluster:cc-aurora-postgres-cluster"
]

07 Run start-activity-stream command (OSX/Linux/UNIX) to start a database activity stream that monitors the activity on the selected Amazon Aurora database cluster. The following command request example makes use of the --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your Aurora database application. If you skip adding the --apply-immediately parameter to the command request, Amazon Aurora will apply your changes during the next maintenance window:

aws rds start-activity-stream
  --region us-east-1
  --resource-arn arn:aws:rds:us-east-1:123456789012:cluster:cc-aurora-postgres-cluster
  --mode async
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd
  --apply-immediately

08 The command output should return the configuration metadata available for the enabled database activity stream. The feature will start streaming now all the database activity to a Kinesis Data Stream for monitoring and security. From Amazon Kinesis, you can monitor your Aurora database activity in real time. The activity stream's name in Kinesis includes the prefix aws-rds-das-followed by the database cluster's resource ID:

{
	"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd",
	"KinesisStreamName": "aws-rds-das-cluster-ABCDABCDABCDABCDABCDABCD",
	"Status": "starting",
	"Mode": "async",
	"ApplyImmediately": true
}

09 Repeat steps no. 5 – 8 to configure database activity streams for other Aurora database clusters available in the selected AWS region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Oct 19, 2023