Skip to content

Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled

Description

This check ensures that you have enabled query logging set up for your PostgreSQL database cluster. A cluster needs to have a non-default parameter group and two parameters set - that of log_statement and log_min_duration_statement, these need to be set to all and 1 respectively to get sufficient logs.

Note
Setting querying logging can expose secrets (including passwords) from your queries, - restrict and encrypt to mitigate.

Fix - Buildtime

Terraform

You will need to have a resource aws_rds_cluster_parameter_group that is referred to your aws_rds_cluster_parameter_group attribute: db_cluster_parameter_group_name. With that in place the following parameters need to be set:

```go aws_rds_cluster_parameter_group.examplea.tf resource "aws_rds_cluster_parameter_group" "examplea" { name = "rds-cluster-pg" family = "aurora5.7" description = "RDS default cluster parameter group"

  • parameter {
  • name="log_statement"
  • value="all"

  • }

  • parameter {

  • name="log_min_duration_statement"
  • value="1"
  • } } ```

For more details see the aws docs here: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_LogAccess.Concepts.PostgreSQL.html