RDS Cluster log capture is disabled
Description
This policy is inspecting for the activation of log capture on RDS Clusters in AWS. Log capture is crucial for efficient diagnostics, security review and audit. It allows administrators to monitor activities and events that occur in the RDS clusters by capturing log data. If log capture is not enabled, it may compromise the ability to effectively troubleshoot issues or identify malicious activities, leaving the system vulnerable.
Code Example
hcl
resource "aws_rds_cluster" "default" {
engine = "aurora-postgresql"
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
enable_http_endpoint = true
master_username = "foo"
master_password = "bar"
skip_final_snapshot = true
enabled_cloudwatch_logs_exports = ["audit", "error", "general", "slowquery", "postgresql"]
}Remediation
Terraform
- Resource: aws_rds_cluster
- Arguments: enabled_cloudwatch_logs_exports
To fix the issue, you should enable log exports for RDS cluster.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0371 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_324 |