turbot/steampipe-mod-aws-compliance

Control: 45 Aurora MySQL DB clusters should have audit logging enabled

Description

This control checks whether an Amazon Aurora MySQL DB cluster has audit logging enabled. The control fails if the DB parameter group associated with the DB cluster is not in sync, the server_audit_logging parameter is not set to 1, or the server_audit_events parameter is set to an empty value.

Database logs can assist with security and access audits and help diagnose availability issues. Audit logs capture a record of database activity, including login attempts, data modifications, schema changes, and other events that can be audited for security and compliance purposes.

Remediation

For information about enabling logging for an Amazon Aurora MySQL DB cluster, see Publishing Amazon Aurora MySQL logs to Amazon CloudWatch Logs in the Amazon Aurora User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_rds_45

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_rds_45 --share

SQL

This control uses a named query:

with pg_with_audit_logging_enabled as (
select
pg.name,
pg.account_id,
pg.region
from
aws_rds_db_cluster as c,
aws_rds_db_cluster_parameter_group as pg,
jsonb_array_elements(parameters) as p
where
pg.name = c.db_cluster_parameter_group
and pg.account_id = c.account_id
and pg.region = c.region
and p ->> 'ParameterName' = 'server_audit_logging'
and p ->> 'ParameterValue' = '1'
)
select
arn as resource,
case
when engine <> 'aurora-mysql' then 'skip'
when p.name is not null then 'ok'
else 'alarm'
end as status,
case
when engine <> 'aurora-mysql' then title || ' is not Aurora MySQL-compatible edition.'
when p.name is not null then title || ' audit logging enabled.'
else title || ' audit logging disabled.'
end as reason
, i.region, i.account_id
from
aws_rds_db_cluster as i
left join pg_with_audit_logging_enabled as p on p.name = i.db_cluster_parameter_group and p.account_id = i.account_id and p.region = i.region;

Tags