Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 45 Aurora MySQL DB clusters should have audit logging enabled

Description

This control checks whether an Amazon Aurora MySQL DB cluster has audit logging enabled. The control fails if the DB parameter group associated with the DB cluster is not in sync, the server_audit_logging parameter is not set to 1, or the server_audit_events parameter is set to an empty value.

Database logs can assist with security and access audits and help diagnose availability issues. Audit logs capture a record of database activity, including login attempts, data modifications, schema changes, and other events that can be audited for security and compliance purposes.

Remediation

For information about enabling logging for an Amazon Aurora MySQL DB cluster, see Publishing Amazon Aurora MySQL logs to Amazon CloudWatch Logs in the Amazon Aurora User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_rds_45

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_rds_45 --share

SQL

This control uses a named query:

with pg_with_audit_logging_enabled as (
  select
    pg.name,
    pg.account_id,
    pg.region
  from
    aws_rds_db_cluster as c,
    aws_rds_db_cluster_parameter_group as pg,
    jsonb_array_elements(parameters) as p
  where
    pg.name = c.db_cluster_parameter_group
    and pg.account_id = c.account_id
    and pg.region = c.region
    and p ->> 'ParameterName' = 'server_audit_logging'
    and p ->> 'ParameterValue' = '1'
)
select
  arn as resource,
  case
    when engine <> 'aurora-mysql' then 'skip'
    when p.name is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when engine <> 'aurora-mysql' then title || ' is not Aurora MySQL-compatible edition.'
    when p.name is not null then title || ' audit logging enabled.'
    else title || ' audit logging disabled.'
  end as reason
  
  , i.region, i.account_id
from
  aws_rds_db_cluster as i
  left join pg_with_audit_logging_enabled as p on p.name = i.db_cluster_parameter_group and p.account_id = i.account_id and p.region = i.region;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = logging
foundational_security_item_id = rds_45
plugin = aws
service = AWS/RDS