Skip to content

PGAudit is not enabled on RDS Postgres instances

Description

Postgres database instances can be enabled for auditing with PGAudit, the PostgresSQL Audit Extension. With PGAudit enabled you will be able to audit any database, its roles, relations, or columns.

See the PGAudit for a full description of the auditing features.

Fix - Runtime

AWS Console

To view Scheduled Events, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Navigate to the AMazon RDS console.
  3. Select "Parameter Groups".
  4. If you are using the default group you must create a new group. Select your new or non default group.
  5. In the Parameter search bar, enter pgaudit.role.
  6. Select Edit Parameter and set the value to rds_pgaudit. When editing is finished, click Save.
  7. If you have created a new group you must edit your Instances setting.
  8. To view your DB instances, select Databases from the navigation pane.
  9. Select and modify your DB identifier.
  10. In Database options, select the DB parameter group dropdown and your new group, then click Continue.
  11. Select to apply now or in your next scheduled maintenance window.

Fix - Buildtime

Terraform

This buildtime fix requires a combination of resources: the RDS instance and a customer db parameter group.
Ensure that var.family is set to one of the Postgres options, for example, postgres11/12.

📘 Note

When updating the parameter group on your db instance, make a note of the apply_method setting. This will help to avoid outages.

Resource aws_db_instance + aws_db_parameter_group

```go aws_db_instance.instance.tf resource "aws_db_instance" "instance" { ... parameter_group_name = aws_db_parameter_group.custom.name ... }

resource "aws_db_parameter_group" "custom" { name = var.custom_db_group_name ... family = var.family parameter { #can be pending-reboot or immediate, but immediate will reboot your db apply_method = "pending-reboot" name = "shared_preload_libraries" value = "pgaudit" }

parameter { apply_method = "pending-reboot" name = "pgaudit.role" value = "rds_pgaudit" } ... } ```