Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled

Description

This check ensures that you have enabled query logging set up for your PostgreSQL database cluster. A cluster needs to have a non-default parameter group and two parameters set - that of log_statement and log_min_duration_statement, these need to be set to all and 1 respectively to get sufficient logs.

Note
Setting querying logging can expose secrets (including passwords) from your queries, - restrict and encrypt to mitigate.

Fix - Buildtime

Terraform

You will need to have a resource aws_rds_cluster_parameter_group that is referred to your aws_rds_cluster_parameter_group attribute: db_cluster_parameter_group_name. With that in place the following parameters need to be set:

resource "aws_rds_cluster_parameter_group" "examplea" {
  name = "rds-cluster-pg"
  family      = "aurora5.7"
  description = "RDS default cluster parameter group"

+  parameter {
+    name="log_statement"
+    value="all"
+  }

+  parameter {
+    name="log_min_duration_statement"
+    value="1"
+  }
}

For more details see the aws docs here: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_LogAccess.Concepts.PostgreSQL.html