iCompaas Support

Profile Applicability
 • Level 1

Description
 Enable audit logging to capture database activities, including login attempts, queries, and modifications. Logs should be forwarded to Amazon CloudWatch or a centralized log management system for analysis and monitoring.

Rationale
 Audit logging ensures traceability of activities, enabling monitoring for suspicious behavior and providing a forensic trail in case of security incidents.

Impact
 Pros:
 • Improves visibility into database usage
 • Supports compliance and security monitoring

Cons:
 • May increase storage costs
 • Requires log review processes

Default Value
 Audit logging is not enabled by default on all services. You must manually configure it based on the database engine in use.

Pre-Requisites
 • An Amazon CloudWatch Logs group or an Amazon S3 bucket for log storage
 • IAM permissions to modify database configurations

Remediation

Test Plan

1. Sign in to the AWS Console
   
   

2. Open the database console (e.g., DocumentDB, Neptune, MemoryDB, etc.)
   
   

3. Navigate to the cluster's configuration or logging settings
   
   

4. Verify that audit logging is enabled and directed to CloudWatch or S3
   
   

5. Confirm retention period and access policies are in place
   
   

Implementation Plan

Using AWS Console

1. Sign in to the AWS Management Console
   
   

2. Open the database console (e.g., DocumentDB, Neptune, MemoryDB)
   
   

3. Select your database cluster
   
   

4. Navigate to Logging or Monitoring section
   
   

5. Click Modify or Edit
   
   

6. Enable Audit Logging
   
   

7. Choose a CloudWatch Logs group or S3 bucket
   
   

8. Set retention policy
   
   

9. Click Save or Apply Changes
   
   

Using AWS CLI

1. Identify your cluster name:
   

    aws docdb describe-db-clusters

   
   

2. Enable audit logs (DocumentDB example):
    

   aws docdb modify-db-cluster --db-cluster-identifier my-cluster --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}' --apply-immediately

   
   

3. Verify logs are enabled:
   

    aws docdb describe-db-clusters --db-cluster-identifier my-cluster

   
   

Backout Plan

Using AWS Console

1. Sign in to the AWS Console
   
   

2. Open the database service
   
   

3. Select your cluster
   
   

4. Navigate to Logging section
   
   

5. Click Edit or Modify
   
   

6. Disable audit logging
   
   

7. Click Save
   
   

Using AWS CLI

1. Run the following to disable audit logs:
   

    aws docdb modify-db-cluster --db-cluster-identifier my-cluster --cloudwatch-logs-export-configuration '{"DisableLogTypes":["audit"]}' --apply-immediately

   
   

References
 • Amazon DocumentDB Audit Logging
 • Amazon CloudWatch Logs

CIS Controls Mapping
 • v8 - 8.1 Establish and Maintain an Audit Log Management Process
 • v7 - 6.2 Activate audit loggingCIS_AWS_Database_Servic…