iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that Amazon Relational Database Service (RDS) instances are integrated with Amazon CloudWatch Logs to capture and monitor database logs such as error logs, slow query logs, audit logs, or general logs (depending on the database engine). This integration enables real-time visibility into database activity, improves operational monitoring, supports troubleshooting, and aids in detecting potential security or performance issues.

Rationale:
Without CloudWatch integration, database logs remain isolated within the RDS instance and require manual retrieval for analysis. Enabling CloudWatch logging ensures that logs are centralized, searchable, and can trigger alerts using CloudWatch metrics and alarms. This significantly enhances an organization’s ability to monitor database performance, detect anomalies, and respond quickly to potential security threats. It also supports compliance and audit readiness by maintaining detailed log histories.

Impact:
Positive Impact:

• Centralized visibility of RDS logs across multiple databases and regions.

• Enables automated monitoring, alerting, and log retention management.

• Improves security and compliance posture with continuous auditing capabilities.
  Negative Impact:

• Additional CloudWatch cost for log storage and ingestion, depending on log volume.
  
  

Default Value:
By default, RDS instances are not integrated with CloudWatch Logs. Manual configuration is required during instance creation or modification.

Pre-Requisite:

• IAM permissions required: rds:DescribeDBInstances, rds:ModifyDBInstance, logs:CreateLogGroup, logs:DescribeLogStreams, and logs:PutLogEvents.

• CloudWatch Logs service should be enabled in the account.

• For custom logs, the RDS parameter group must have the appropriate logging parameters enabled.
  
  

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon RDS → Databases.

3. Select the desired RDS instance and go to the Logs & events tab.

4. Verify that log exports are configured to Amazon CloudWatch Logs.

   • You should see logs such as error/mysql-error.log, slowquery/mysql-slowquery.log, or postgresql.log streaming to CloudWatch.

5. Alternatively, go to the Configuration tab and check under Log exports.

6. If the Log exports field is empty or no logs are being sent to CloudWatch, the instance is non-compliant.
   
   

Implementation Plan 
Using AWS Console:

1. Navigate to Amazon RDS → Databases.

2. Select the RDS instance to configure.

3. Click Modify.

4. Scroll down to the Log exports section.

5. Select the appropriate logs to export to CloudWatch Logs based on your database engine:

   • MySQL / MariaDB / Aurora MySQL: General logs, Slow query logs, Error logs, Audit logs.

   • PostgreSQL / Aurora PostgreSQL: PostgreSQL logs.

   • SQL Server: Error logs, Agent logs.

   • Oracle: Alert logs, Trace files, Audit logs.

6. Click Continue → Modify DB Instance and choose to apply changes immediately or during the next maintenance window.

7. To verify:

   • Go to CloudWatch → Logs → Log groups.

   • Confirm the creation of log groups (e.g., /aws/rds/instance-name/error, /aws/rds/instance-name/postgresql).
     
     

Backout Plan:

1. If CloudWatch log integration increases costs or performance overhead, you can disable specific log exports:

   • Navigate to RDS → Databases → Modify Instance.

   • Deselect specific log types under Log exports.

   • Save and apply the configuration.

2. Ensure that at least critical logs (error and audit) remain enabled for security and compliance purposes.
   
   

References:

• Amazon RDS and CloudWatch Logs Integration

• Monitoring Amazon RDS Using Amazon CloudWatch

• CIS AWS Foundations Benchmark v2.0.0 – Control 3.35

• AWS Security Best Practices Whitepaper