Control: 40 RDS for SQL Server DB instances should publish logs to CloudWatch Logs
Description
This control checks whether an Amazon RDS for Microsoft SQL Server DB instance is configured to publish logs to Amazon CloudWatch Logs. The control fails if the RDS for SQL Server DB instance isn't configured to publish logs to CloudWatch Logs. You can optionally specify the types of logs that a DB instance should be configured to publish.
Database logging provides detailed records of requests made to an Amazon RDS DB instance. Publishing logs to CloudWatch Logs centralizes log management and helps you perform real-time analysis of log data. CloudWatch Logs retains logs in highly durable storage. In addition, you can use it to create alarms for specific errors that can occur, such as frequent restarts that are recorded in an error log. Similarly, you can create alarms for errors or warnings that are recorded in SQL Server agent logs related to SQL agent jobs.
Remediation
For information about publishing logs to CloudWatch Logs for an RDS for SQL Server DB instance, see Amazon RDS for Microsoft SQL Server database log files in the Amazon Relational Database Service User Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_rds_40Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_rds_40 --shareSQL
This control uses a named query:
select arn as resource, case when not engine like 'sqlserver%' then 'skip' when enabled_cloudwatch_logs_exports ?& array ['error'] then 'ok' else 'alarm' end as status, case when not engine like 'sqlserver%' then title || ' is of ' || engine || ' type.' when enabled_cloudwatch_logs_exports ?& array ['error'] then title || ' logging enabled.' else title || ' logging disabled.' end as reason , region, account_idfrom aws_rds_db_instance;