Profile Applicability:

  • Level 1

Description:

Amazon DocumentDB supports the ability to export logs such as slow query logs, audit logs, and general logs. The log export feature allows you to monitor, troubleshoot, and maintain DocumentDB clusters by exporting logs to Amazon CloudWatch Logs. This SOP ensures that DocumentDB clusters are configured with log export enabled, allowing for better monitoring and troubleshooting of database performance and security events.

Rationale:

  • Improved Monitoring: Exporting logs to CloudWatch Logs allows for centralized log collection and monitoring, which helps in identifying performance bottlenecks, slow queries, and potential security issues.

  • Operational Visibility: Logs like slow query logs and audit logs provide insights into database operations, enabling quick detection of issues and anomalies.

  • Compliance: For compliance purposes, maintaining proper logging is often a requirement to ensure audit trails are available and that the database is operating securely.

Impact:

Pros:

  • Enhanced Troubleshooting: Logs provide detailed information that is helpful for diagnosing issues, such as slow queries and unauthorized access attempts.

  • Centralized Log Management: Exporting logs to CloudWatch Logs makes it easier to monitor and manage logs across multiple resources in a centralized manner.

  • Security: Logs can provide valuable information for detecting potential security incidents, such as unauthorized access or changes to the database.

Cons:

  • Increased Storage Costs: Storing logs in CloudWatch Logs incurs additional costs, depending on the volume of log data.

  • Performance Impact: Enabling log exports may have a minor performance impact on database operations due to the additional logging overhead.

Default Value:

By default, DocumentDB clusters do not export logs to CloudWatch Logs. This must be explicitly enabled when configuring or modifying the cluster.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBClusters

    • rds:ModifyDBCluster

    • logs:PutLogEvents

    • logs:CreateLogStream

  • AWS CLI installed and configured.

  • Ensure you have the correct permissions to access and manage DocumentDB clusters and CloudWatch Logs.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon DocumentDB under Services.

  3. In the DocumentDB Dashboard, select Clusters.

  4. Choose the DocumentDB cluster you want to check.

  5. In the Logs & Monitoring section, verify if the Export Logs to CloudWatch Logs option is enabled.

    • If enabled, logs such as slow query logs and audit logs should be exported to CloudWatch Logs.

    • If log export is not enabled, it needs to be configured during the cluster modification.

Using AWS CLI:

  1. To check if log export is enabled for a DocumentDB cluster, run the following command:

    aws rds describe-db-clusters --query 'DBClusters[*].{ClusterIdentifier:DBClusterIdentifier,EnabledCloudwatchLogsExports:EnabledCloudwatchLogsExports}'

  2. Review the output:

  • EnabledCloudwatchLogsExports should list logs such as auditslowquery, or general if log export is enabled.

  1. To enable log export for DocumentDB clusters, run the following command:

    aws rds modify-db-cluster --db-cluster-identifier <db-cluster-id> --enable-cloudwatch-logs-exports <logs-to-export> --apply-immediately

  2. Verify that log export is enabled by re-running the describe-db-clusters command.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon DocumentDB.

  2. In the DocumentDB Dashboard, select Clusters and choose the cluster for which you want to enable log export.

  3. Click Modify.

  4. In the Logs & Monitoring section, enable the Export Logs to CloudWatch Logs option.

  5. Select the log types to export (e.g., slowquery, audit, general).

  6. Click Continue, then Apply Changes.

Using AWS CLI:

  1. To enable log export for an existing DocumentDB cluster, run:

    aws rds modify-db-cluster --db-cluster-identifier <db-cluster-id> --enable-cloudwatch-logs-exports slowquery,audit,general --apply-immediately

  2. To verify that the log export configuration has been applied, run:

    aws rds describe-db-clusters --query 'DBClusters[*].{ClusterIdentifier:DBClusterIdentifier,EnabledCloudwatchLogsExports:EnabledCloudwatchLogsExports}'

Backout Plan:

Using AWS Console:

  1. If enabling log export causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon DocumentDB, select the cluster, and click Modify.

  3. Disable log export for the Error Logs, Slow Query Logs, and Audit Logs.

  4. Save the changes and monitor the cluster to ensure that log export is no longer active.

Using AWS CLI:

  1. To disable log export for DocumentDB, run the following command:

    aws docdb modify-db-cluster --db-cluster-identifier <CLUSTER_ID> --cloudwatch-logs-export-configuration '{"LogTypes":[]}' --apply-immediately

  2. Verify that log export has been disabled:

    aws docdb describe-db-clusters --db-cluster-identifier <CLUSTER_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.