turbot/steampipe-mod-aws-compliance

Control: 40 RDS for SQL Server DB instances should publish logs to CloudWatch Logs

Description

This control checks whether an Amazon RDS for Microsoft SQL Server DB instance is configured to publish logs to Amazon CloudWatch Logs. The control fails if the RDS for SQL Server DB instance isn't configured to publish logs to CloudWatch Logs. You can optionally specify the types of logs that a DB instance should be configured to publish.

Database logging provides detailed records of requests made to an Amazon RDS DB instance. Publishing logs to CloudWatch Logs centralizes log management and helps you perform real-time analysis of log data. CloudWatch Logs retains logs in highly durable storage. In addition, you can use it to create alarms for specific errors that can occur, such as frequent restarts that are recorded in an error log. Similarly, you can create alarms for errors or warnings that are recorded in SQL Server agent logs related to SQL agent jobs.

Remediation

For information about publishing logs to CloudWatch Logs for an RDS for SQL Server DB instance, see Amazon RDS for Microsoft SQL Server database log files in the Amazon Relational Database Service User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_rds_40

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_rds_40 --share

SQL

This control uses a named query:

select
arn as resource,
case
when not engine like 'sqlserver%' then 'skip'
when enabled_cloudwatch_logs_exports ?& array ['error'] then 'ok'
else 'alarm'
end as status,
case
when not engine like 'sqlserver%' then title || ' is of ' || engine || ' type.'
when enabled_cloudwatch_logs_exports ?& array ['error'] then title || ' logging enabled.'
else title || ' logging disabled.'
end as reason
, region, account_id
from
aws_rds_db_instance;

Tags