Profile Applicability:

  • Level 1

Description:
 Monitoring and auditing activities within AWS are critical for identifying unauthorized access or modifications to database resources. Enabling monitoring and auditing ensures that every action taken on the database is logged and accessible for review, which is essential for security and compliance.

Rationale:
 By enabling logging and audit trails, organizations can detect anomalous behavior, access violations, and changes to database configurations or data. This also helps meet compliance requirements such as SOC 2, ISO 27001, and other security standards that demand continuous monitoring.

Impact:
 Without monitoring and audit logs, unauthorized changes or malicious activities could go undetected. Enabling these logs improves incident response capabilities and enhances security posture.

Default Value:
 By default, Amazon Aurora does not have monitoring and auditing enabled for all activities.

Pre-requisites:

  • An AWS account with Aurora database instances.

  • Basic knowledge of Amazon RDS, CloudTrail, and CloudWatch.

Remediation:

Test Plan:

Using AWS Console:

  1. Navigate to CloudTrail in the AWS Console.

  2. Ensure that CloudTrail is enabled for all regions, capturing management events, data events, and insights.

  3. In RDS Dashboard, check if Enhanced Monitoring is enabled for Aurora instances under Monitoring.

  4. In CloudWatch Logs, verify that logs for Aurora are being forwarded and stored.

Using AWS CLI:

  1. Run the command to check CloudTrail status:

     aws cloudtrail describe-trails
  2. Check for the logging status of RDS using:

    aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, EnhancedMonitoringStatus:EnhancedMonitoringStatus}"
  3. Check if logs are being forwarded to CloudWatch:

     aws logs describe-log-groups --log-group-name-prefix "/aws/rds/"

Implementation Plan

Using AWS Console:

  1. In the CloudTrail Console, create or enable a trail that captures all management and data events.

  2. In the RDS Dashboard, go to the Modify option for the Aurora instance and enable Enhanced Monitoring.

  3. Under CloudWatch Logs, ensure the Aurora database logs are configured to be forwarded and stored securely.

Using AWS CLI:

  1. Create or update a CloudTrail trail:

     aws cloudtrail create-trail --name my-trail --s3-bucket-name my-bucket --is-multi-region-trail
  2. Enable Enhanced Monitoring on Aurora instance:

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --monitoring-interval 60 --apply-immediately
  3. Enable CloudWatch Logs for Aurora:

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit","error"]}' --apply-immediately

Backout Plan

Using AWS Console:

  1. Go to RDS Dashboard and disable Enhanced Monitoring for the Aurora instance under Modify.

  2. In CloudTrail, delete or disable the active trail.

  3. Remove log configurations from CloudWatch Logs.

Using AWS CLI:

  1. Disable Enhanced Monitoring:

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --monitoring-interval 0 --apply-immediately
  2. Delete the CloudTrail trail:

     aws cloudtrail delete-trail --name my-trail
  3. Disable log export to CloudWatch:

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --cloudwatch-logs-export-configuration '{"EnableLogTypes":[]}' --apply-immediately

References: