Profile Applicability:

  • Level 1

Description:
 Enabling monitoring and logging provides visibility into the performance, availability, and behavior of your AWS-managed database services. It allows you to collect metrics, track queries, audit access, and detect anomalies or security events.

Rationale:
 Monitoring and logging are critical for detecting unauthorized access, debugging issues, auditing user actions, and maintaining system health. Without visibility, operational and security risks increase significantly.

Impact:
 Pros:

  • Enables performance monitoring and resource utilization tracking

  • Facilitates faster incident detection and resolution

  • Meets compliance and audit requirements

Cons:

  • May introduce additional cost for log storage

  • Requires configuration and periodic review

Default Value:
 Monitoring and logging are disabled by default for most AWS database services unless explicitly enabled.

Pre-requisites:

  • IAM permissions to modify database configurations

  • A valid CloudWatch Log Group and IAM role for publishing logs

  • Knowledge of the logging types supported by your DB engine

Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Console

  2. Navigate to RDS > Databases or ElastiCache > Clusters

  3. Select the target DB instance or cache cluster

  4. Open the Monitoring, Logs, or Maintenance and Backups tab

  5. Confirm that Enhanced Monitoring is enabled and log exports are configured

  6. Check CloudWatch Logs for entries from the DB instance

Using AWS CLI:

  1. Check Enhanced Monitoring status:

    aws rds describe-db-instances --db-instance-identifier <your-db-instance-id> --query "DBInstances[*].MonitoringInterval"

  2. Check enabled log exports:

    aws rds describe-db-instances --db-instance-identifier <your-db-instance-id> --query "DBInstances[*].EnabledCloudwatchLogsExports"

Implementation Plan

Using AWS Console:

  1. Sign in to the AWS Console

  2. Navigate to Amazon RDS > Databases

  3. Select your DB instance and click Modify

  4. Scroll to the Monitoring section and enable Enhanced Monitoring

  5. Choose the granularity (e.g., 1 minute) and monitoring role

  6. Scroll to Log Exports and select logs to export (e.g., error, general, slowquery)

  7. Click Continue, then Apply Immediately

  8. Open CloudWatch > Alarms, and set up thresholds for metrics like CPUUtilization or FreeStorageSpace

Using AWS CLI:

  1. Enable Enhanced Monitoring:

     aws rds modify-db-instance --db-instance-identifier <your-db-instance-id> --monitoring-interval 60 --monitoring-role-arn <monitoring-role-arn> --apply-immediately

  2. Enable CloudWatch log exports:

     aws rds modify-db-instance --db-instance-identifier <your-db-instance-id> --cloudwatch-logs-export-configuration EnableLogTypes=["error","general","slowquery"] --apply-immediately

  3. Create a CloudWatch alarm (example: high CPU usage):

    aws cloudwatch put-metric-alarm --alarm-name "HighCPUUtilization" --metric-name CPUUtilization --namespace AWS/RDS --statistic Average --period 300 --threshold 80 --comparison-operator GreaterThanThreshold --evaluation-periods 2 --alarm-actions <sns-topic-arn>

Backout Plan

Using AWS Console:

  1. Navigate to RDS > Databases

  2. Select your DB instance and click Modify

  3. Scroll to the Monitoring section and set Monitoring Interval to 0

  4. Under Log Exports, uncheck all selected logs

  5. Click Continue, then Apply Immediately

  6. Go to CloudWatch > Alarms and delete any alarms created

Using AWS CLI:

  1. Disable Enhanced Monitoring:

    aws rds modify-db-instance --db-instance-identifier <your-db-instance-id> --monitoring-interval 0 --apply-immediately

  2. Disable log exports:

    aws rds modify-db-instance --db-instance-identifier <your-db-instance-id> --cloudwatch-logs-export-configuration DisableLogTypes=["error","general","slowquery"] --apply-immediately

  3. Delete CloudWatch alarm:

     aws cloudwatch delete-alarms --alarm-names "HighCPUUtilization"

References: