Profile Applicability

  • Level 1

Description:
Enable audit logging to capture database activities, including login attempts, queries, and modifications. Send the logs to Amazon CloudWatch or a centralized log management system for analysis and monitoring.

Rationale:
It captures and saves logs of activities that took place in the database cluster, including login attempts, queries, and configuration changes. This enhances visibility and supports incident investigation and compliance requirements.

Impact:
 Pros:

  • Enables auditing of access and changes to data.

  • Helps in identifying unauthorized access or malicious activity.

  • Supports regulatory compliance requirements.

Cons:

  • May introduce performance overhead.

  • Requires additional storage for log retention.

Default Value:
 Audit logging is disabled by default.

Pre-requisites:

  • Amazon DocumentDB cluster or compatible RDS/Aurora instance.

  • IAM permissions to modify database configuration and access CloudWatch or S3.

Remediation:

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the Amazon DocumentDB console.

  3. Select the target DocumentDB cluster.

  4. Open the Configuration section and check whether audit logging is enabled.

  5. Confirm the log destination is either Amazon CloudWatch Logs or an S3 bucket.

Using AWS CLI:

  1. Run the following command to check audit logs configuration:
    aws docdb describe-db-clusters --query 'DBClusters[*].EnabledCloudwatchLogsExports'
  2. Confirm that "audit" is listed in the enabled log exports.

Implementation Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the Amazon DocumentDB console.

  3. Choose the target cluster.

  4. Click Modify Cluster.

  5. Scroll to the Log Exports section.

  6. Enable Audit Logs.

  7. Select CloudWatch Logs or S3 as the destination.

  8. Save changes and apply immediately or during the next maintenance window.

Using AWS CLI:

  1. Run the following command to enable audit logging to CloudWatch:
  2. aws docdb modify-db-cluster \
  --db-cluster-identifier your-cluster-id \
  --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'\
  --apply-immediately

Backout Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Go to the DocumentDB cluster page.

  3. Click Modify Cluster.

  4. Uncheck the Audit Logs export setting.

  5. Save and apply changes.

Using AWS CLI:

  1. Run the following command to disable audit logging:
  2. aws docdb modify-db-cluster \
  --db-cluster-identifier your-cluster-id \
  --cloudwatch-logs-export-configuration '{"DisableLogTypes":["audit"]}'\
  --apply-immediately

References: