AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
MySQL Aurora Logs Should Be Enabled
More Info:
Ensure Aurora logging is enabled
Risk Level
Low
Address
Monitoring
Compliance Standards
HIPAA,SOC2,HITRUST,NISTCSF,PCIDSS,SEBI
Triage and Remediation
Remediation
To remediate the issue of MySQL Aurora logs not being enabled in AWS RDS using the AWS Management Console, follow these step-by-step instructions:
-
Login to AWS Management Console: Go to the AWS Management Console and log in with your credentials.
-
Navigate to RDS Service: Click on the “Services” dropdown menu at the top left corner of the console, then select “RDS” under the Database category.
-
Select the Aurora Database: From the list of RDS instances, locate and select the MySQL Aurora database for which you want to enable logs.
-
Enable Enhanced Monitoring: In the RDS dashboard for the selected instance, navigate to the left-hand side menu and click on “Logs & events”.
-
Enable Audit Log: Under the “Logs & events” section, you will find the option to enable different types of logs such as Audit log, Error log, Slow query log, etc. Click on “Modify” next to the Audit log.
-
Enable Audit Log: In the “Modify DB instance” window, find the “Audit log” section and set the “Enable audit log” toggle to “Yes”.
-
Set Log Retention Period: Optionally, you can set the retention period for the logs. By default, logs are retained for 7 days. You can adjust this as per your requirements.
-
Save Changes: Scroll down to the bottom of the page and click on the “Continue” button.
-
Apply Changes: Review the changes you are about to make and click on the “Modify DB instance” button to apply the changes.
-
Verify Log Enablement: Once the modification is complete, go back to the RDS dashboard and check the status of the Audit log to ensure that it is now enabled for the MySQL Aurora database.
By following these steps, you will successfully enable the Audit log for the MySQL Aurora database in AWS RDS using the AWS Management Console.
To remediate the misconfiguration of MySQL Aurora Logs not being enabled for an AWS RDS instance using AWS CLI, follow these step-by-step instructions:
- Enable Enhanced Logging: Enable enhanced logging for your Aurora MySQL RDS instance. This will allow you to access the query and error logs.
aws rds modify-db-instance --db-instance-identifier <your-db-instance-identifier> --enable-enhanced-monitoring --monitoring-role-arn <your-monitoring-role-arn> --monitoring-interval 60
Replace <your-db-instance-identifier> with the identifier of your RDS instance and <your-monitoring-role-arn> with the ARN of the IAM role that has permissions to publish logs to CloudWatch.
- Enable Query and Error Logs: Enable the query and error logs for your Aurora MySQL RDS instance.
aws rds modify-db-instance --db-instance-identifier <your-db-instance-identifier> --enable-cloudwatch-logs-exports '["audit","error","general","slowquery"]'
Replace <your-db-instance-identifier> with the identifier of your RDS instance.
- Verify the Configuration: Check if the configuration has been applied successfully by describing your RDS instance.
aws rds describe-db-instances --db-instance-identifier <your-db-instance-identifier> --query 'DBInstances[*].[DBInstanceArn,DBInstanceStatus]'
Replace <your-db-instance-identifier> with the identifier of your RDS instance.
By following these steps, you can successfully remediate the misconfiguration of MySQL Aurora Logs not being enabled for your AWS RDS instance using the AWS CLI.
To remediate the misconfiguration of MySQL Aurora logs not being enabled for an AWS RDS instance using Python, you can follow these steps:
- Import the necessary Python libraries:
import boto3
- Connect to the AWS RDS service using the Boto3 library:
client = boto3.client('rds')
- Identify the RDS instance for which you want to enable MySQL Aurora logs:
db_instance_identifier = 'your_rds_instance_identifier'
- Enable the MySQL Aurora logs for the identified RDS instance:
response = client.modify_db_instance(
DBInstanceIdentifier=db_instance_identifier,
EnableCloudwatchLogsExports=['error','general','slowquery']
)
- Verify that the MySQL Aurora logs have been successfully enabled for the RDS instance:
response = client.describe_db_instances(DBInstanceIdentifier=db_instance_identifier)
logs_enabled = response['DBInstances'][0]['EnabledCloudwatchLogsExports']
if 'error' in logs_enabled and 'general' in logs_enabled and 'slowquery' in logs_enabled:
print("MySQL Aurora logs have been successfully enabled for the RDS instance.")
else:
print("Failed to enable MySQL Aurora logs for the RDS instance.")
By following these steps and running the Python script, you can successfully remediate the misconfiguration of MySQL Aurora logs not being enabled for an AWS RDS instance.