AWS Postgres RDS have Query Logging disabled

Description

This check ensures that you have enabled query logging set up for your PostgreSQL database cluster. A cluster needs to have a non-default parameter group and two parameters set - that of log_statement and log_min_duration_statement, these need to be set to all and 1 respectively to get sufficient logs. Note Setting querying logging can expose secrets (including passwords) from your queries, - restrict and encrypt to mitigate.

Code Example

resource "aws_db_parameter_group" "examplea" {
  name = "rds-cluster-pg"
  family      = "postgres10"

+  parameter {
+    name="log_statement"
+    value="all"
+  }

+  parameter {
+    name="log_min_duration_statement"
+    value="1"
+  }
}

Remediation

Terraform

You will need to have a resource aws_rds_cluster_parameter_group that is referred to your aws_rds_cluster_parameter_group

attribute: db_cluster_parameter_group_name.

With that in place the following parameters need to be set:

Rule Details

Field	Value
ID	IAC-0464
Severity	LOW
IaC Type	Terraform
Frameworks	Terraform, TerraformPlan
Checkov ID	CKV2_AWS_30

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

AWS Postgres RDS have Query Logging disabled

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

AWS Postgres RDS have Query Logging disabled ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

AWS Postgres RDS have Query Logging disabled

Description

Code Example

Remediation

Rule Details

References