Control: Aurora MySQL DB clusters should have audit logging enabled
Description
This control checks whether an Amazon Aurora MySQL DB cluster has audit logging enabled. The control fails if an Aurora MySQL DB cluster doesn't have audit logging enabled.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.rds_db_cluster_aurora_mysql_audit_logging_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.rds_db_cluster_aurora_mysql_audit_logging_enabled --shareSQL
This control uses a named query:
with pg_with_audit_logging_enabled as ( select pg.name, pg.account_id, pg.region from aws_rds_db_cluster as c, aws_rds_db_cluster_parameter_group as pg, jsonb_array_elements(parameters) as p where pg.name = c.db_cluster_parameter_group and pg.account_id = c.account_id and pg.region = c.region and p ->> 'ParameterName' = 'server_audit_logging' and p ->> 'ParameterValue' = '1')select arn as resource, case when engine <> 'aurora-mysql' then 'skip' when p.name is not null then 'ok' else 'alarm' end as status, case when engine <> 'aurora-mysql' then title || ' is not Aurora MySQL-compatible edition.' when p.name is not null then title || ' audit logging enabled.' else title || ' audit logging disabled.' end as reason , i.region, i.account_idfrom aws_rds_db_cluster as i left join pg_with_audit_logging_enabled as p on p.name = i.db_cluster_parameter_group and p.account_id = i.account_id and p.region = i.region;