To meet compliance requirements, I want to turn on audit logging on my Amazon Aurora MySQL-Compatible Edition DB cluster to audit database activity. Then, I want to publish the DB logs to Amazon CloudWatch so that I can perform real-time data analysis.
Short description
Use Advanced Auditing with Amazon Aurora to record and audit database events. Database events can include connections, disconnections, tables queried, or types of queries issued (DML, DDL, or DCL) on an Aurora MySQL-Compatible DB cluster. For more information about the type of information included in the log files, see Audit log details.
First, activate the Advanced Auditing parameters on the associated custom DB cluster parameter group. Then, you can publish the Advanced Auditing logs to CloudWatch.
Note: If you use Amazon Relational Database Service (Amazon RDS) for MySQL or MariaDB, see
How can I turn on audit logging for an Amazon RDS for MySQL instance or MariaDB instance and publish the logs to CloudWatch?
Resolution
Advanced Auditing supports the following database capacity types:
- Aurora Provisioned
- Aurora Provisioned with Aurora parallel query support
- Aurora Serverless
Note: If you're using Amazon Aurora Serverless v1, complete the following steps to turn on the audit logging parameters. However, you don't need to configure logs to publish to CloudWatch, as Amazon Aurora Serverless v1 clusters automatically upload these types of logs. To configure log uploads for v1 clusters, modify the value of the log types in the DB cluster parameter group.
Turning on Advanced Auditing parameters on the cluster parameter group
- Create a custom DB cluster parameter group.
- Modify the parameters for Advanced Auditing.
- Modify the cluster to associate the new custom DB parameter group with your Aurora MySQL-Compatible DB cluster.
For details about the Advanced Auditing parameters, see Turning on Advanced Auditing. These parameters are dynamic, so you don't need to reboot your DB cluster. When you change the default parameter group to a custom parameter group, manually reboot the DB instance to apply the new group.
Publishing the Advanced Auditing logs to CloudWatch
- Open the Amazon RDS console.
- Choose Databases from the navigation pane.
- Select the Aurora MySQL-Compatible DB cluster that you want to export log data to CloudWatch.
- Choose Modify.
- From the Log exports section, select Audit log.
- Choose Continue.
- Review the Summary of modifications, and then choose Modify cluster.
Or, you can publish Advanced Auditing logs to CloudWatch Logs by setting the value for the cluster-level DB parameter server_audit_logs_upload to 1. The default value for the parameter is 0. You can also use the AWS Command Line Interface (AWS CLI) to turn on CloudWatch log exports by running a command similar to the following:
aws rds modify-db-cluster --db-cluster-identifier <mydbcluster> --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'
After turning on audit logging and modifying your instance to export logs, events recorded in audit logs are sent to CloudWatch. Then, you can monitor the log events in CloudWatch.
Note: Audit data don't appear in the logs unless you also define one or more types of events to audit using the server_audit_events parameter.
Related information
Auditing an Amazon Aurora cluster
Using Advanced Auditing with an Amazon Aurora MySQL-Compatible DB cluster
Publishing Amazon Aurora MySQL logs to Amazon CloudWatch Logs