Triage and Remediation
Remediation
Using Console
Using Console
To remediate the DocDB Cluster Audit Logging misconfiguration for AWS RDS using the AWS console, follow these step-by-step instructions:
- Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to the AWS Management Console using your credentials.
- Navigate to Amazon RDS Console: Once you are logged in, navigate to the Amazon RDS console by clicking on the “Services” dropdown menu at the top of the page and selecting “RDS” under the “Database” category.
- Select the Amazon DocumentDB Cluster: In the Amazon RDS console, locate and select the Amazon DocumentDB cluster for which you want to enable audit logging.
-
Enable Audit Logging:
- In the cluster details page, click on the “Modify” button in the upper right corner.
- Scroll down to the “Database options” section.
- Under the “Audit log configuration” section, select “Enable” for the “Audit log” option.
- Choose the desired settings for the audit log, such as the S3 bucket where the logs will be stored, the IAM role that has permission to write to the bucket, and the KMS key for encryption (if needed).
- Click on the “Continue” button.
- Apply Changes: Review the changes you have made in the “Summary of modifications” section. If everything looks correct, click on the “Modify cluster” button to apply the changes.
- Monitor Audit Logging Status: Once the modifications are applied, monitor the status of the audit logging configuration in the Amazon DocumentDB cluster details page. The status should change to “applying” and then “active” once the audit logging is successfully enabled.
Using CLI
Using CLI
To remediate the misconfiguration of DocDB Cluster Audit Logging not being enabled for AWS RDS using AWS CLI, follow these steps:
-
Enable Logging for the Amazon DocumentDB Cluster:
Run the following AWS CLI command to enable audit logging for your Amazon DocumentDB cluster. Replace
cluster-identifierwith the actual identifier of your DocumentDB cluster. -
Verify the Audit Logging Configuration:
Run the following command to verify that the audit logging configuration has been successfully updated for your DocumentDB cluster.
This command should return an array with the value
[ "audit" ], indicating that audit logging has been enabled. - Monitor the CloudWatch Logs: Once the audit logging is enabled, you can monitor the logs in CloudWatch Logs to ensure that all the database activities are being logged appropriately.
Using Python
Using Python
To remediate the misconfiguration of DocDB Cluster Audit Logging not being enabled for AWS RDS using Python, you can follow these steps:By following these steps and running the Python script, you can remediate the misconfiguration of DocDB Cluster Audit Logging not being enabled for AWS RDS.
- Import the necessary Python libraries, such as
boto3, which is the AWS SDK for Python.
- Initialize the AWS RDS client using the
boto3.clientmethod.
- Identify the DocDB Cluster for which you want to enable audit logging. You can do this by specifying the
DBClusterIdentifierof the DocDB Cluster.
- Enable audit logging for the DocDB Cluster by calling the
modify_db_clustermethod of the RDS client with theEnableCloudwatchLogsExportsparameter set to include'audit'.
- Verify that the audit logging has been enabled successfully by checking the response from the
modify_db_clusterAPI call.