iCompaas Support

Profile Applicability:

• Level 1

Description:
 Monitoring and logging are essential for tracking database performance, detecting anomalies, and ensuring compliance with security standards. In AWS, enabling logging and monitoring services like CloudWatch Logs, CloudTrail, and Enhanced Monitoring ensures that all database activity is captured, making it easier to detect and respond to potential security incidents.

Rationale:
 Enabling monitoring and logging helps identify unusual patterns or activity in the database, facilitating early detection of issues such as unauthorized access, performance degradation, or configuration changes. It ensures that you have a comprehensive record of database interactions and operational performance metrics.

Impact:
 Failure to enable monitoring and logging means there will be no historical record of database activity, making it difficult to identify and troubleshoot issues or investigate potential security breaches. Enabling these services ensures that all interactions with the database are auditable and helps maintain a high level of security and operational efficiency.

Default Value:
 By default, Amazon Aurora does not have Enhanced Monitoring or CloudWatch Logs enabled. These must be explicitly configured during instance creation or modification.

Pre-requisites:

• An AWS account with Aurora database instances.
  

• Knowledge of CloudWatch, CloudTrail, and RDS Enhanced Monitoring.
  

• Administrative access to configure logging and monitoring for Aurora instances.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to RDS > Databases and select the Aurora instance.
   

2. In the Monitoring section, check if Enhanced Monitoring is enabled.
   

3. Verify if CloudWatch Logs are set up for auditing and performance metrics.
   

4. Ensure CloudTrail is capturing RDS API activity.
   

5. Review the log groups in CloudWatch Logs to confirm that logs are being forwarded.
   

Using AWS CLI:

1. Run the following command to check if Enhanced Monitoring is enabled for the Aurora instance:
   

   aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, EnhancedMonitoringStatus:EnhancedMonitoringStatus}"

2. Verify CloudWatch logs for the Aurora instance:
   

   aws rds describe-db-instances --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier, CloudwatchLogsExportConfiguration:CloudwatchLogsExportConfiguration}"

3. Check if CloudTrail is capturing RDS logs:
   

    aws cloudtrail describe-trails --query "trailList[].{TrailName:Name, S3BucketName:S3BucketName}"

Implementation Plan

Using AWS Console:

1. Go to RDS > Databases, select the Aurora instance, and click Modify.
   

2. In the Monitoring section, enable Enhanced Monitoring.
   

3. Under CloudWatch Logs, ensure that both Audit Logs and Error Logs are selected for export.
   

4. Navigate to CloudTrail, enable RDS API logging, and configure it to capture all management events and data events for RDS resources.
   

5. Apply the changes and confirm that logs are being generated and stored in CloudWatch Logs and CloudTrail.
   

Using AWS CLI:

1. Enable Enhanced Monitoring:
   

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --monitoring-interval 60 --apply-immediately

2. Enable CloudWatch Logs for export:
   

   aws rds modify-db-instance --db-instance-identifier <db-instance-id> --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit","error"]}' --apply-immediately

3. Enable CloudTrail for RDS API logging:
   

    aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region-trail --include-global-service-events

4. Start logging RDS API activity:
   

    aws cloudtrail start-logging --name <trail-name>

Backout Plan

Using AWS Console:

1. In RDS > Databases, go to the Modify section and disable Enhanced Monitoring.
   

2. In CloudWatch Logs, remove the export configuration for RDS logs.
   

3. In CloudTrail, disable logging for RDS API events and delete the trail if no longer needed.

Using AWS CLI:

1. Disable Enhanced Monitoring:
   

   aws rds modify-db-instance --db-instance-identifier <db-instance-id> --monitoring-interval 0 --apply-immediately

2. Disable CloudWatch Logs export:
   

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --cloudwatch-logs-export-configuration '{"EnableLogTypes":[]}' --apply-immediately

3. Disable CloudTrail logging for RDS:
   

    aws cloudtrail stop-logging --name <trail-name>

4. Delete the CloudTrail trail if necessary:
   

    aws cloudtrail delete-trail --name <trail-name>

References:

• AmazonRDS

• Amazon Cloudwatch