Profile Applicability:
- Level 1
Description:
Monitoring and auditing activities within AWS are critical for identifying unauthorized access or modifications to database resources. Enabling monitoring and auditing ensures that every action taken on the database is logged and accessible for review, which is essential for security and compliance.
Rationale:
By enabling logging and audit trails, organizations can detect anomalous behavior, access violations, and changes to database configurations or data. This also helps meet compliance requirements such as SOC 2, ISO 27001, and other security standards that demand continuous monitoring.
Impact:
Without monitoring and audit logs, unauthorized changes or malicious activities could go undetected. Enabling these logs improves incident response capabilities and enhances security posture.
Default Value:
By default, Amazon Aurora does not have monitoring and auditing enabled for all activities.
Pre-requisites:
An AWS account with Aurora database instances.
Basic knowledge of Amazon RDS, CloudTrail, and CloudWatch.
Remediation:
Test Plan:
Using AWS Console:
Navigate to CloudTrail in the AWS Console.
Ensure that CloudTrail is enabled for all regions, capturing management events, data events, and insights.
In RDS Dashboard, check if Enhanced Monitoring is enabled for Aurora instances under Monitoring.
In CloudWatch Logs, verify that logs for Aurora are being forwarded and stored.
Using AWS CLI:
Run the command to check CloudTrail status:
aws cloudtrail describe-trails
Check for the logging status of RDS using:
aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, EnhancedMonitoringStatus:EnhancedMonitoringStatus}"
Check if logs are being forwarded to CloudWatch:
aws logs describe-log-groups --log-group-name-prefix "/aws/rds/"
Implementation Plan
Using AWS Console:
In the CloudTrail Console, create or enable a trail that captures all management and data events.
In the RDS Dashboard, go to the Modify option for the Aurora instance and enable Enhanced Monitoring.
Under CloudWatch Logs, ensure the Aurora database logs are configured to be forwarded and stored securely.
Using AWS CLI:
Create or update a CloudTrail trail:
aws cloudtrail create-trail --name my-trail --s3-bucket-name my-bucket --is-multi-region-trail
Enable Enhanced Monitoring on Aurora instance:
aws rds modify-db-instance --db-instance-identifier <db-instance-id> --monitoring-interval 60 --apply-immediately
Enable CloudWatch Logs for Aurora:
aws rds modify-db-instance --db-instance-identifier <db-instance-id> --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit","error"]}' --apply-immediately
Backout Plan
Using AWS Console:
Go to RDS Dashboard and disable Enhanced Monitoring for the Aurora instance under Modify.
In CloudTrail, delete or disable the active trail.
Remove log configurations from CloudWatch Logs.
Using AWS CLI:
Disable Enhanced Monitoring:
aws rds modify-db-instance --db-instance-identifier <db-instance-id> --monitoring-interval 0 --apply-immediately
Delete the CloudTrail trail:
aws cloudtrail delete-trail --name my-trail
Disable log export to CloudWatch:
aws rds modify-db-instance --db-instance-identifier <db-instance-id> --cloudwatch-logs-export-configuration '{"EnableLogTypes":[]}' --apply-immediately
References: