AWS Config Rule: RDS Logging Enabled

Description: Checks if log types exported to Amazon CloudWatch for an Amazon Relational Database Service (Amazon RDS) instance are enabled. The rule is NON_COMPLIANT if any such log types are not enabled.

Trigger type: Configuration changes

AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Africa (Cape Town), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Milan), Europe (Spain), Europe (Zurich) Region

To resolve this manually, you will need to ensure that logging is enabled when creating an RDS instance and that you select one or more logs to export to CloudWatch. It's good practice to ensure that these four are all turned on by default.

The RDS service-linked role is used to publish your log files to CloudWatch Logs - so there is no additional permissions to worry about for this stage here.

By ensuring these log files are exported to CloudWatch Logs - you will then be COMPLIANT with the above config rule.

Note: This remediation is only compatible with MySQL Engine. (This does not include MySQL-Aurora)

You can optionally remediate any RDS DB Instance so that logging is created for you and sent to CloudWatch Logs

In order to enable this remediation, in the StackZone console navigate to Provisioning / Baseline Services / AWS Config Rules Regional / Amazon RDS and enable RDS Logging Enabled Remediation

Note: this is still an experimental Remediation. In order to use it, you have to enable "Experimental Features" in the StackZone Settings -> Organization Details section.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here