Control: Database logging should be enabled
Description
To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.rds_db_instance_logging_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.rds_db_instance_logging_enabled --shareSQL
This control uses a named query:
select address as resource, (attributes_std -> 'engine')::text as engine, case when (attributes_std ->> 'engine')::text like any (array ['mariadb', '%mysql']) and (attributes_std -> 'enabled_cloudwatch_logs_exports') is not null and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb <@ '["audit","error","general","slowquery"]'::jsonb and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb @> '["audit","error","general","slowquery"]'::jsonb then 'ok' when (attributes_std ->> 'engine')::text like any (array['%postgres%']) and (attributes_std -> 'enabled_cloudwatch_logs_exports') is not null and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb <@ '["postgresql","upgrade"]'::jsonb and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb @> '["postgresql","upgrade"]'::jsonb then 'ok' when (attributes_std ->> 'engine')::text like 'oracle%' and (attributes_std -> 'enabled_cloudwatch_logs_exports') is not null and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb <@ '["alert","audit", "trace","listener"]'::jsonb and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb @> '["alert","audit", "trace","listener"]'::jsonb then 'ok' when (attributes_std ->> 'engine')::text = 'sqlserver-ex' and (attributes_std -> 'enabled_cloudwatch_logs_exports') is not null and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb <@ '["error"]'::jsonb and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb @> '["error"]'::jsonb then 'ok' when (attributes_std ->> 'engine')::text like 'sqlserver%' and (attributes_std -> 'enabled_cloudwatch_logs_exports')is not null and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb <@ '["error","agent"]' then 'ok' else 'alarm' end as status, split_part(address, '.', 2) || case when (attributes_std ->> 'engine')::text like any (array ['mariadb', '%mysql']) and (attributes_std -> 'enabled_cloudwatch_logs_exports') is not null and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb <@ '["audit","error","general","slowquery"]'::jsonb and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb @> '["audit","error","general","slowquery"]'::jsonb then ' logging enabled' when (attributes_std ->> 'engine')::text like any (array['%postgres%']) and (attributes_std -> 'enabled_cloudwatch_logs_exports') is not null and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb <@ '["postgresql","upgrade"]'::jsonb and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb @> '["postgresql","upgrade"]'::jsonb then ' logging enabled' when (attributes_std ->> 'engine')::text like 'oracle%' and (attributes_std -> 'enabled_cloudwatch_logs_exports') is not null and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb <@ '["alert","audit", "trace","listener"]'::jsonb and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb @> '["alert","audit", "trace","listener"]'::jsonb then ' logging enabled' when (attributes_std ->> 'engine')::text = 'sqlserver-ex' and (attributes_std -> 'enabled_cloudwatch_logs_exports') is not null and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb <@ '["error"]'::jsonb and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb @> '["error"]'::jsonb then ' logging enabled' when (attributes_std ->> 'engine')::text like 'sqlserver%' and (attributes_std -> 'enabled_cloudwatch_logs_exports')is not null and (attributes_std -> 'enabled_cloudwatch_logs_exports')::jsonb <@ '["error","agent"]' then ' logging enabled' else ' logging disabled' end || '.' as reason , path || ':' || start_linefrom terraform_resourcewhere type = 'aws_db_instance';