Description:

 Amazon RDS is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks.

Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon RDS.

CloudWatch Logs monitor, store and access your database log files. It enables you to centralize the logs from all of your systems. 


Rationale:

It is recommended that your RDS instance is integrated with CloudWatch Logs to identify a potential leak or misuse of sensitive data and security threats.


Impact:

RDS instances are integrated with CloudWatch logs to give the capability to troubleshoot, audit, and log analysis. This rule can help you in security, reliability in your task, improve your performance efficiency.


Default Value:

  • By default in CloudWatch Log their no-log groups but we can load up to 10000 log groups. 

  • By default, logs are kept indefinitely and never expire. You can adjust the retention policy for each log group, keeping the indefinite retention or choosing a retention period between 10 years and one day.

  • By default, no values are integrated with RDS and Cloudwatch logs. 


Audit:

Step 1: Log in to AWS Management Console  

Step 2: Go to RDS dashboard at https://console.aws.amazon.com/rds/.

Step 3: In the left navigation pane, click on Database

Step 4: Click on the DB instance that you want to examine

Step 5: Click on Modify button

Step 6: Scroll down and go to the Log exports configuration panel in this panel we check the log types i.e. Error log, General log, Slow query log if those checkBoxes are not checked it means your RDS instance is not integrated with CloudWatch log.



Via CLI Command:

Use the following command to list the available database contain a log for a DB instance 

aws rds describe-db-instances --db-instance-identifier <my_db_instance>


Remediation:

Pre-Requisite:

  1. Before following the below implementation step you create a Database instance in your Amazon RDS if you are not able to create a DB instance please go through this link Creating an Amazon RDS DB instance - Amazon Relational Database Service 

  2. You must take a snapshot of your RDS DB instance before any modification as a backup in case of any disaster.

  3. Before enabling log data publishing, make sure that you have a service-linked role in AWS IAM.


Implementation Steps:

Step 1: Log in to AWS Management Console 

Step 2: Go to RDS dashboard at https://console.aws.amazon.com/rds/.

Step 3:   In the left navigation pane, click on Database

Step 4: Select the DB instance that you want to modify 

Step 5: Click on Modify button

Step 6: Scroll down and go to the Log exports section and check the Error log, General log, Slow query log checkBoxes to export logs to cloudwatch

Step 7: Click on the Continue  

Step 8: In the Scheduling of modifications section, perform one of the following actions based on your requirements:

  1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.

  2. Select Apply immediately to apply the changes right away.

    Click on Modify DB Instance

Step 9: Go to cloudwatch console

Step 10: Click on Log groups   in the left navigation pane

Step 11: In the Log Groups panel log group has been created


Via CLI commands:

Following Command to enable CloudWatch log in DB instance:

aws rds modify-db-instance --db-instance-identifier <name_instance_identifier> \
--cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'


Backout Plan:

If you want to disable CloudWatch Log uncheck the Log Exports and then go to Log Groups in CloudWatch and delete the Log group.

Step 1: Log in to AWS Management Console 

Step 2: Go to RDS dashboard at https://console.aws.amazon.com/rds/.

Step 3: In the left navigation pane, click on Database

Step 4: Select the DB instance that you want to modify 

Step 5: Click on Modify button

Step 6: Scroll down and go to the Log exports section and uncheck all the checkBoxes

Step 7: Go to cloudwatch console

Step 8: Click on Log groups   in the left navigation pane

Step 8: Select the Log Group that created by RDS, click on Actions, and select Delete


References:

  1. What is Amazon CloudWatch Logs? - Amazon CloudWatch Logs 

  2. Overview of monitoring Amazon RDS - Amazon Relational Database Service 

  3. Working with Amazon RDS database log files - Amazon Relational Database Service 

  4. describe-db-instances — AWS CLI 2.2.19 Command Reference 

  5. https://aws.amazon.com/premiumsupport/knowledge-center/advanced-audit-rds-mysql-cloudwatch/