More Info:
Aurora Serverless databases should have Log Exports feature enabled in order to publish general logs, slow query logs, audit logs and error logs to AWS CloudWatch.Risk Level
LowAddress
Operational Maturity, Reliability, SecurityCompliance Standards
SOC2, NISTCSF, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of enabling serverless log exports for AWS RDS using the AWS console, follow these step-by-step instructions:
- Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and login with your credentials.
- Navigate to RDS Service: Click on the “Services” dropdown menu at the top of the page, and select “RDS” under the Database category.
- Select the RDS Instance: From the list of RDS instances, select the instance for which you want to enable serverless log exports by clicking on its name.
- Modify the RDS Instance: In the RDS instance details page, click on the “Modify” button located at the top right corner.
- Enable Enhanced Monitoring: In the Modify DB Instance window, scroll down to the “Monitoring” section.
- Enable Log Exports: Under the “Monitoring” section, you will find an option for “Enhanced Monitoring”. Enable the “Enhanced Monitoring” option.
- Configure Log Exports: Once you have enabled Enhanced Monitoring, you will see additional options for configuring log exports. Configure the settings according to your requirements, such as the log types to export and the destination for the logs.
- Save Changes: After configuring the log export settings, scroll down to the bottom of the page and click on the “Continue” button.
- Apply Changes: Review the changes you have made, and then click on the “Modify DB Instance” button to apply the changes to the RDS instance.
- Verify Configuration: Once the modification is complete, verify that serverless log exports have been successfully enabled for the RDS instance by checking the logs in the specified destination.
Using CLI
Using CLI
To remediate the misconfiguration of Serverless Log Exports not being enabled for an AWS RDS instance using AWS CLI, follow these steps:
-
Identify the RDS instance: First, you need to identify the RDS instance for which you want to enable Serverless Log Exports. You can do this by running the following AWS CLI command:
-
Enable Serverless Log Exports: Once you have identified the RDS instance, you can enable Serverless Log Exports by running the following AWS CLI command:
Replace
YOUR_DB_INSTANCE_IDENTIFIERwith the actual identifier of your RDS instance. -
Verify the Configuration: You can verify that Serverless Log Exports have been enabled successfully by running the
describe-db-instancescommand again and checking theEnabledCloudwatchLogsExportsattribute in the output.
Using Python
Using Python
To enable serverless log exports for an AWS RDS instance using Python, you can use the AWS SDK for Python (Boto3) to interact with the AWS RDS service. Below are the step-by-step instructions to remediate this misconfiguration:
-
Install Boto3:
Make sure you have Boto3 installed. You can install it using pip:
-
Configure AWS Credentials:
Ensure that you have your AWS credentials configured either by setting environment variables or using the AWS CLI
aws configurecommand. -
Write Python script:
Create a Python script with the following code snippet to enable serverless log exports for the RDS instance:
Replace
'YOUR_RDS_INSTANCE_IDENTIFIER'with the actual identifier of your RDS instance. - Run the Python script: Execute the Python script that you created in the previous step. This script will enable serverless log exports for the specified RDS instance.