turbot/steampipe-mod-aws-compliance

Query: rds_db_cluster_aurora_mysql_audit_logging_enabled

Usage

powerpipe query aws_compliance.query.rds_db_cluster_aurora_mysql_audit_logging_enabled

SQL

with pg_with_audit_logging_enabled as (
select
pg.name,
pg.account_id,
pg.region
from
aws_rds_db_cluster as c,
aws_rds_db_cluster_parameter_group as pg,
jsonb_array_elements(parameters) as p
where
pg.name = c.db_cluster_parameter_group
and pg.account_id = c.account_id
and pg.region = c.region
and p ->> 'ParameterName' = 'server_audit_logging'
and p ->> 'ParameterValue' = '1'
)
select
arn as resource,
case
when engine <> 'aurora-mysql' then 'skip'
when p.name is not null then 'ok'
else 'alarm'
end as status,
case
when engine <> 'aurora-mysql' then title || ' is not Aurora MySQL-compatible edition.'
when p.name is not null then title || ' audit logging enabled.'
else title || ' audit logging disabled.'
end as reason
, i.region, i.account_id
from
aws_rds_db_cluster as i
left join pg_with_audit_logging_enabled as p on p.name = i.db_cluster_parameter_group and p.account_id = i.account_id and p.region = i.region;

Controls

The query is being used by the following controls: