iCompaas Support

Profile Applicability:

Level 1

Description:

Enable monitoring and logging for your database services (such as RDS, ElastiCache, or QLDB) using Amazon CloudWatch and AWS CloudTrail to gain visibility into performance, health, and security-related activities.

Rationale:

Monitoring and logging help detect unauthorized access, track system performance, and enable timely responses to anomalies or attacks.

Impact:

Without proper logging and monitoring, malicious activity or performance degradation may go unnoticed, leading to data breaches or service disruption.

Default Value:

Monitoring and logging are not enabled by default for many AWS database services.

Pre-requisites:

• AWS CloudWatch permissions
  
  

• CloudTrail enabled (for services supporting API-level audit)
  
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   
   

2. Navigate to the respective service console (e.g., RDS, ElastiCache, QLDB).
   
   

3. Select the database cluster or instance.
   
   

4. Check the Monitoring/Logging section to verify enhanced monitoring and logging is enabled.
   
   

5. Review CloudWatch metrics, alarms, and logs.
   
   

Using AWS CLI:

Describe the database instance:

aws rds describe-db-instances --db-instance-identifier <your-instance-id>

1. Check for parameters like MonitoringInterval, CloudwatchLogsExportConfiguration, etc.
   
   

Implementation Plan:

Using AWS Console:

1. Go to the respective database service (RDS, ElastiCache, etc.) in the AWS console.
   
   

2. Select the instance/cluster.
   
   

3. Click “Modify”.
   
   

4. Enable Enhanced Monitoring and choose monitoring interval (e.g., 1 min).
   
   

5. Enable log exports (e.g., error logs, audit logs).
   
   

6. Choose or create a CloudWatch log group.
   
   

7. Save and apply changes.
   
   

Using AWS CLI:

Modify RDS instance to enable enhanced monitoring:

aws rds modify-db-instance --db-instance-identifier <your-instance-id> --monitoring-interval 60 --apply-immediately

Enable log exports (e.g., audit, error logs):

aws rds modify-db-instance --db-instance-identifier <your-instance-id> --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit","error"]}' --apply-immediately

Backout Plan:

Using AWS Console:

1. Navigate to the service console.
   
   

2. Select the instance and click “Modify”.
   
   

3. Disable Enhanced Monitoring.
   
   

4. Uncheck the enabled log types.
   
   

5. Save and apply changes.
   
   

Using AWS CLI:

Disable Enhanced Monitoring:

aws rds modify-db-instance --db-instance-identifier <your-instance-id> --monitoring-interval 0 --apply-immediately

Disable log exports:

aws rds modify-db-instance --db-instance-identifier <your-instance-id> --cloudwatch-logs-export-configuration '{"DisableLogTypes":["audit","error"]}' --apply-immediately

References:

1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.html
   
   

2. https://aws.amazon.com/cloudwatch/