RDS Cluster CloudWatch Logs Integration
Overview
This check verifies that your Amazon RDS clusters (Aurora MySQL, Aurora PostgreSQL, MySQL, PostgreSQL) export database logs to Amazon CloudWatch Logs. Enabling this integration gives you centralized access to database activity, making it easier to monitor performance, troubleshoot issues, and detect security threats.
Risk
Without CloudWatch Logs integration:
- No visibility: Database events are not centralized, making monitoring difficult
- Delayed threat detection: Security issues like brute-force attacks, SQL injection, or privilege abuse may go unnoticed
- Forensics gaps: Investigating incidents becomes harder without log history
- Compliance issues: Many frameworks require centralized logging for audit purposes
Remediation Steps
Prerequisites
You need:
- Access to the AWS Console with permission to modify RDS clusters, OR
- AWS CLI configured with appropriate credentials
Supported log types by engine
| Engine | Available Log Types |
|---|---|
| Aurora MySQL | audit, error, general, slowquery |
| Aurora PostgreSQL | postgresql |
| RDS MySQL | error, general, slowquery |
| RDS PostgreSQL | postgresql, upgrade |
Recommended minimum: Enable at least error logs for MySQL engines or postgresql logs for PostgreSQL engines.
AWS Console Method
- Open the Amazon RDS console in the us-east-1 region
- In the navigation pane, choose Databases
- Select the DB cluster you want to modify
- Choose Modify
- Scroll down to Log exports
- Check the boxes for the log types you want to publish:
- For Aurora MySQL: select Error log, Slow query log, and/or Audit log
- For Aurora PostgreSQL: select Postgresql log
- Scroll to the bottom and choose Continue
- Review your changes and select Apply immediately if you want the changes now
- Choose Modify cluster
AWS CLI (optional)
Enable CloudWatch Logs Export
For Aurora MySQL or RDS MySQL clusters:
aws rds modify-db-cluster \
--region us-east-1 \
--db-cluster-identifier <your-cluster-identifier> \
--cloudwatch-logs-export-configuration '{"EnableLogTypes":["error","slowquery","audit"]}' \
--apply-immediately
For Aurora PostgreSQL or RDS PostgreSQL clusters:
aws rds modify-db-cluster \
--region us-east-1 \
--db-cluster-identifier <your-cluster-identifier> \
--cloudwatch-logs-export-configuration '{"EnableLogTypes":["postgresql"]}' \
--apply-immediately
Verify the Configuration
aws rds describe-db-clusters \
--region us-east-1 \
--db-cluster-identifier <your-cluster-identifier> \
--query 'DBClusters[0].EnabledCloudwatchLogsExports'
This should return a list of enabled log types, for example:
["error", "slowquery", "audit"]
CloudFormation (optional)
Use the EnableCloudwatchLogsExports property in your AWS::RDS::DBCluster resource:
AWSTemplateFormatVersion: '2010-09-09'
Description: RDS Cluster with CloudWatch Logs export enabled
Parameters:
DBClusterIdentifier:
Type: String
Description: The DB cluster identifier
MasterUsername:
Type: String
Description: Master username for the database
MasterUserPassword:
Type: String
NoEcho: true
Description: Master password for the database
Engine:
Type: String
Default: aurora-mysql
AllowedValues:
- aurora-mysql
- aurora-postgresql
Description: Database engine type
Conditions:
IsMySQL: !Equals [!Ref Engine, aurora-mysql]
Resources:
RDSCluster:
Type: AWS::RDS::DBCluster
Properties:
DBClusterIdentifier: !Ref DBClusterIdentifier
Engine: !Ref Engine
MasterUsername: !Ref MasterUsername
MasterUserPassword: !Ref MasterUserPassword
EnableCloudwatchLogsExports:
!If
- IsMySQL
- - error
- slowquery
- audit
- - postgresql
Outputs:
ClusterEndpoint:
Description: Cluster endpoint
Value: !GetAtt RDSCluster.Endpoint.Address
To update an existing cluster, you can modify just the EnableCloudwatchLogsExports property in your stack.
Terraform (optional)
Use the enabled_cloudwatch_logs_exports argument in your aws_rds_cluster resource:
variable "cluster_identifier" {
description = "The identifier for the RDS cluster"
type = string
}
variable "engine" {
description = "Database engine (aurora-mysql or aurora-postgresql)"
type = string
default = "aurora-mysql"
}
locals {
mysql_log_types = ["error", "slowquery", "audit"]
postgresql_log_types = ["postgresql"]
log_types = var.engine == "aurora-mysql" ? local.mysql_log_types : local.postgresql_log_types
}
resource "aws_rds_cluster" "example" {
cluster_identifier = var.cluster_identifier
engine = var.engine
master_username = var.master_username
master_password = var.master_password
# Enable CloudWatch Logs export
enabled_cloudwatch_logs_exports = local.log_types
skip_final_snapshot = true
}
To update an existing cluster, add or modify the enabled_cloudwatch_logs_exports argument and run terraform apply.
Verification
After enabling CloudWatch Logs export:
- Go to the CloudWatch console
- In the navigation pane, choose Log groups
- Look for log groups named
/aws/rds/cluster/<your-cluster-identifier>/<log-type> - Confirm that logs are appearing (this may take a few minutes after enabling)
CLI verification
# Check enabled log exports on the cluster
aws rds describe-db-clusters \
--region us-east-1 \
--db-cluster-identifier <your-cluster-identifier> \
--query 'DBClusters[0].EnabledCloudwatchLogsExports'
# List CloudWatch Log groups for your cluster
aws logs describe-log-groups \
--region us-east-1 \
--log-group-name-prefix "/aws/rds/cluster/<your-cluster-identifier>"
Additional Resources
- Publishing Aurora MySQL logs to CloudWatch Logs
- Publishing Aurora PostgreSQL logs to CloudWatch Logs
- CloudWatch Logs pricing
- Setting up CloudWatch alarms for RDS
Notes
- Cost consideration: CloudWatch Logs incurs charges based on data ingestion and storage. Review the CloudWatch pricing page to understand costs.
- General query log caution: The
generallog type captures all SQL statements, which can generate significant log volume and cost. Enable it selectively for troubleshooting rather than continuous use. - Audit log setup: For Aurora MySQL, the
auditlog type requires additional configuration in the DB cluster parameter group to define what gets audited. - Log retention: By default, CloudWatch Logs retains data indefinitely. Consider setting a retention policy to manage storage costs.
- Apply immediately: Using
--apply-immediatelyapplies changes right away. Without it, changes apply during the next maintenance window.