Control: 2.15 Ensure log monitoring and alerts are set up for RDS instance configuration changes
Description
It is recommended that a metric filter and alarm be established for RDS Instance configuration changes.
Remediation
Perform the following to ensure the log monitoring and alerts are set up for RDS instance configuration changes:
- Logon to SLS Console.
- Click
Log Service Audit Servicein the navigation pane. - Go to
Access to Cloud Products > Global Configurationpage.- Select a location of project for logs.
- Check the
Action Trailand configure a proper number of days. - Click
Saveto save the changes.
- Go to
Access to Cloud Products > Global ConfigurationsclickCentral Project. - Select
Log Management > Actiontrail Log. - In the search/analytics console, input the following query:
"event.serviceName": rds and ("event.eventName": ModifyHASwitchConfig or "event.eventName": ModifyDBInstanceHAConfig or "event.eventName": SwitchDBInstanceHA or "event.eventName": ModifyDBInstanceSpec or "event.eventName": MigrateSecurityIPMode or "event.eventName": ModifySecurityIps or "event.eventName": ModifyDBInstanceSSL or "event.eventName": MigrateToOtherZone or "event.eventName": UpgradeDBInstanceKernelVersion or "event.eventName": UpgradeDBInstanceEngineVersion or "event.eventName": ModifyDBInstanceMaintainTime or "event.eventName": ModifyDBInstanceAutoUpgradeMinorVersion or "event.eventName": AllocateInstancePublicConnection or "event.eventName": ModifyDBInstanceConnectionString or "event.eventName": ModifyDBInstanceNetworkExpireTime or "event.eventName": ReleaseInstancePublicConnection or "event.eventName": SwitchDBInstanceNetType or "event.eventName": ModifyDBInstanceNetworkType or "event.eventName": ModifyDBInstanceSSL or "event.eventName": ModifyDTCSecurityIpHostsForSQLServer or "event.eventName": ModifySecurityGroupConfiguration or "event.eventName": CreateBackup or "event.eventName": ModifyBackupPolicy or "event.eventName": DeleteBackup or "event.eventName": CreateDdrInstance or "event.eventName":ModifyInstanceCrossBackupPolicy) | select count(1) as cnt
- Create a dashboard and set alert for the query result.
Default Value:
The monitoring dashboard and alert is not set by default.
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v200_2_15Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v200_2_15 --shareSQL
This control uses a named query:
with actiontrail_check as ( select name as trail_name, account_id, status, sls_project_arn, sls_write_role_arn, home_region, trail_region, substring(sls_project_arn from 'acs:log:([^:]+):') as sls_region, substring(sls_project_arn from 'project/([^/]+)') as sls_project_name from alicloud_action_trail where status = 'Enable' and sls_project_arn is not null), alert_check as ( select project, region, name as alert_name, display_name, status as alert_status, coalesce( query_obj ->> 'Query', query_obj ->> 'query', query_obj::text ) as query_text from alicloud_sls_alert, jsonb_array_elements(query_list) as query_obj where (status = 'ENABLED' or status is null) and query_list is not null and ( coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.serviceName="rds"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.serviceName="Rds"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.serviceName": "rds"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.serviceName": "Rds"%' ) and ( coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ModifyHASwitchConfig"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ModifyDBInstanceHAConfig"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="SwitchDBInstanceHA"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ModifyDBInstanceSpec"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="MigrateSecurityIPMode"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ModifySecurityIps"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ModifyDBInstanceSSL"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="MigrateToOtherZone"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="UpgradeDBInstanceKernelVersion"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="UpgradeDBInstanceEngineVersion"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ModifyDBInstanceMaintainTime"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ModifyDBInstanceAutoUpgradeMinorVersion"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="AllocateInstancePublicConnection"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ModifyDBInstanceConnectionString"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ModifyDBInstanceNetworkExpireTime"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ReleaseInstancePublicConnection"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="SwitchDBInstanceNetType"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ModifyDBInstanceNetworkType"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ModifyDTCSecurityIpHostsForSQLServer"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ModifySecurityGroupConfiguration"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="CreateBackup"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ModifyBackupPolicy"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="DeleteBackup"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="CreateDdrInstance"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%event.eventName="ModifyInstanceCrossBackupPolicy"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ModifyHASwitchConfig"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ModifyDBInstanceHAConfig"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "SwitchDBInstanceHA"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ModifyDBInstanceSpec"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "MigrateSecurityIPMode"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ModifySecurityIps"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ModifyDBInstanceSSL"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "MigrateToOtherZone"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "UpgradeDBInstanceKernelVersion"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "UpgradeDBInstanceEngineVersion"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ModifyDBInstanceMaintainTime"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ModifyDBInstanceAutoUpgradeMinorVersion"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "AllocateInstancePublicConnection"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ModifyDBInstanceConnectionString"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ModifyDBInstanceNetworkExpireTime"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ReleaseInstancePublicConnection"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "SwitchDBInstanceNetType"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ModifyDBInstanceNetworkType"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ModifyDTCSecurityIpHostsForSQLServer"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ModifySecurityGroupConfiguration"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "CreateBackup"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ModifyBackupPolicy"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "DeleteBackup"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "CreateDdrInstance"%' or coalesce(query_obj ->> 'Query', query_obj ->> 'query', query_obj::text) ilike '%"event.eventName": "ModifyInstanceCrossBackupPolicy"%' )),matched_pairs as ( select distinct at.trail_name, at.sls_region, at.home_region, ac.alert_name, ac.region as alert_region from actiontrail_check at inner join alert_check ac on trim(lower(coalesce(at.sls_region, ''))) = trim(lower(coalesce(ac.region, ''))) and at.sls_region is not null and ac.region is not null and at.sls_region != '' and ac.region != '')select 'acs:actiontrail:' || at.home_region || ':' || at.account_id || ':actiontrail/' || at.name as resource, case when at.status = 'Enable' and at.sls_project_arn is not null and exists (select 1 from matched_pairs mp where mp.trail_name = at.name) then 'ok' else 'alarm' end as status, case when at.status = 'Enable' and at.sls_project_arn is not null and exists (select 1 from matched_pairs mp where mp.trail_name = at.name) then at.name || ' is configured with ActionTrail enabled, delivering to SLS project in region ' || substring(at.sls_project_arn from 'acs:log:([^:]+):') || ', and has a RDS instance configuration change monitoring alert configured' when at.status = 'Enable' and at.sls_project_arn is not null then at.name || ' is configured with ActionTrail enabled and delivering to SLS project in region ' || substring(at.sls_project_arn from 'acs:log:([^:]+):') || ', but no RDS instance configuration change monitoring alert found in that region' when at.status = 'Enable' and at.sls_project_arn is null then at.name || ' is enabled but not configured to deliver logs to SLS' else at.name || ' is not enabled' end as reason , account_id as account_id, region as regionfrom alicloud_action_trail at;