Description:
Amazon RDS is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks.
Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon RDS.
CloudWatch Logs monitor, store, and access your database log files. It enables you to centralize the logs from all of your systems.
Rationale:
It is recommended that your RDS instance is integrated with CloudWatch Logs to identify a potential leak or misuse of sensitive data and security threats.
Impact:
RDS instances are integrated with CloudWatch logs to provide the capability to troubleshoot, audit, and perform log analysis. This rule can help you with security, reliability in your task, and improving your performance efficiency.
Default Value:
By default in CloudWatch Log their no-log groups but we can load up to 10000 log groups.
By default, logs are kept indefinitely and never expire. You can adjust the retention policy for each log group, keeping the indefinite retention or choosing a retention period between 10 years and one day.
By default, no values are integrated with RDS and Cloudwatch logs.
Remediation:
pre-requisite:
Before following the below implementation step you create a Database instance in your Amazon RDS.
You must take a snapshot of your RDS DB instance before any modification as a backup in case of any disaster.
Before enabling log data publishing, make sure that you have a service-linked role in AWS IAM.
Test Plan:
Step 1: Log in to AWS Management Console
Step 2: Go to the RDS dashboard at https://console.aws.amazon.com/rds/.
Step 3: In the left navigation pane, click on Database
Step 4: Click on the DB instance that you want to examine
Step 5: Click on Modify button
Step 6: Scroll down and go to the Log exports configuration panel in this panel we check the log types i.e. Error log, General log, Slow query log if those checkboxes are not checked it means your RDS instance is not integrated with the CloudWatch log.
Using AWS CLI:
Use the following command to list the available database containing a log for a DB instance
aws rds describe-db-instances --db-instance-identifier <my_db_instance>Implementation Steps:
Step 1: Log in to AWS Management Console with the RDS dashboard at https://console.aws.amazon.com/rds/.
Step 2: In the left navigation pane, click on Database.
Step 3: Click on the DB instance that you want to examine.
Step 4: Click on Configuration button.
Step 5: Scroll down and go to the published logs we check the log types i.e. Error log, General log, Slow query log if Error logs , General Logs and Slow query log is visible then we enabled the CloudWatch logs.
OR
Step 1: Click Cloud watch https://us-east-1.console.aws.amazon.com/cloudwatch
Step 2: Click on Log groups.
Step 3: You can see the cloud watch log created with RDS.
CLI Command:
Use the following command to list the available database containing a log for a DB instance.
aws rds describe-db-instances --db-instance-identifier <my_db_instance>Implementation Steps:
Step 1: Log in to AWS Management Console with the RDS dashboard at https://console.aws.amazon.com/rds/.
Step 2: In the left navigation pane, click on Database
Step 3: Select the DB instance that you want to modify
Step 4: Click on Modify button
Step 5: Scroll down and go to the Log exports section and check the Error log, General log, Slow query log checkboxes to export logs to cloud watch.
Step 6: Click on the Continue.
Step 7: In the Scheduling of modifications section, perform one of the following actions based on your requirements:
Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
Select Apply immediately to apply the changes right away.
Click on Modify DB Instance
Step 8: Go to cloud watch console https://us-east-1.console.aws.amazon.com/cloudwatch
step 9: Go to logs.
Step 10: Scroll down the logs Click on Log groups in the left navigation pane.
Step 11: In the Log Groups panel log group has been created by RDS.
Using AWS CLI:
Following Command to enable CloudWatch log in DB instance:
aws rds modify-db-instance --db-instance-identifier <name_instance_identifier> \
--cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'Backout Plan:
If you want to disable CloudWatch Log uncheck the Log Exports and then go to Log Groups in CloudWatch and delete the Log group.
Step 1: Log in to AWS Management Console
Step 2: Go to the RDS dashboard at https://console.aws.amazon.com/rds/.
Step 3: In the left navigation pane, click on Database
Step 4: Select the DB instance that you want to modify
Step 5: Click on Modify button
Step 6: Scroll down and go to the Log exports section and uncheck all the checkBoxes
Step 7: Go to the cloud watch console
Step 8: Click on Log groups in the left navigation pane
Step 8: Select the Log Group created by RDS, click on Actions, and select Delete
Using AWS CLI:
This CLI commands is to Disable the logs
aws rds modify-db-instance
--db-instance-identifier <value>
--cloudwatch-logs-export-configuration <value>
{DisableLogTypes=string,string}
