AWS RDS Postgres Cluster does not have query logging enabled
Description
This check ensures that you have enabled query logging set up for your PostgreSQL database instance. An instance needs to have a non-default parameter group and two parameters set - that of log_statement and log_min_duration_statement, these need to be set to all and 1 respectively to get sufficient logs. Note Setting querying logging can expose secrets (including passwords) from your queries, - restrict and encrypt to mitigate.
Code Example
go
resource "aws_rds_cluster_parameter_group" "examplea" {
name = "rds-cluster-pg"
family = "aurora5.7"
description = "RDS default cluster parameter group"
+ parameter {
+ name="log_statement"
+ value="all"
+ }
+ parameter {
+ name="log_min_duration_statement"
+ value="1"
+ }
}Remediation
Terraform
You will need to have a resource aws_db_instance that refers to your aws_db_parameter_group attribute: parameter_group_name.
With that in place the following parameters need to be set:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0461 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AWS_27 |