I want to audit database (DB) activity to meet compliance requirements for my Amazon Relational Database Service (Amazon RDS) DB instance that's running MySQL or MariaDB. Then, I want to publish the DB logs to Amazon CloudWatch. How can I do this?
Short description
To use the MariaDB Audit Plugin to capture events such as connections, disconnections, queries, or tables queried, you must do the following:
If you use Amazon Aurora MySQL-Compatible Edition, see How can I enable audit logging for my Aurora MySQL-Compatible DB cluster and publish the logs to CloudWatch?
Resolution
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, confirm that you're running a recent version of the AWS CLI.
Amazon RDS supports Audit Plugin option settings on the following versions for MySQL and MariaDB:
- All MySQL 5.7 versions
- MySQL 5.7.16 and higher 5.7 versions
- MySQL 8.0.25 and higher 8.0 versions
- MariaDB 10.2 and higher
For more information about supported versions, see MariaDB Audit Plugin support and Options for MariaDB database engines.
Add and configure the MariaDB Audit Plugin and associate the DB instance with a custom option group
1. Create a custom option group or modify an existing custom option group.
2. Add the MariaDB Audit Plugin option to the option group and configure the option settings.
3. Apply the option group to the DB instance.
To apply the option to a new DB instance, configure the instance to use the newly created option group when you launch the DB instance. To apply the option to an existing DB instance, modify the DB instance and attach the new option group. For more information, see Modifying an Amazon RDS DB instance.
After you configure the DB instance with the MariaDB Audit Plugin, you don't need to reboot the DB instance. When the option group is active, auditing begins immediately.
Note: Amazon RDS doesn't support turning off logging in the MariaDB Audit Plugin. To turn off audit logging, remove the plugin from the associated option group. This restarts the instance automatically. To limit the length of the query string in a record, use the SERVER_AUDIT_QUERY_LOG_LIMIT option.
Publish audit logs to CloudWatch
1. Open the Amazon RDS console.
2. Choose Databases from the navigation pane.
3. Select the DB instance that you want to use to export log data to CloudWatch.
4. Choose Modify.
5. From the Log exports section, select Audit log.
6. Choose Continue.
7. Review the Summary of modifications, and then choose Modify instance.
You can also use the following AWS CLI command syntax to turn on CloudWatch log exports:
aws rds modify-db-instance --db-instance-identifier <mydbinstance> --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'
After turning on audit logging and modifying your instance to export logs, events that are recorded in audit logs are sent to CloudWatch. Then, you can monitor the log events in CloudWatch.