AWS Database Blog
Amazon RDS log analysis: natural language queries with Kiro and MCP
Database administrators and developers face a persistent challenge: efficiently analyzing vast amounts of database logs to identify performance bottlenecks, security issues, and operational anomalies. Amazon Relational Database Service (Amazon RDS) generates multiple log types that provide critical insights into database performance, errors, and security events. However, traditional log analysis methods often require complex queries, deep knowledge of log formats, and time-consuming manual investigation through the AWS Management Console or Amazon CloudWatch Log Insights.
In this post, we demonstrate an approach to review RDS logs using Kiro, an AI-powered conversational assistant combined with the Model Context Protocol (MCP) server from awslabs.cloudwatch-mcp-server. This solution transforms log analysis from a technical, query-based process into a natural language conversation, delivering actionable insights instantly.
Understanding RDS log types
Amazon RDS supports multiple database engines, each generating specific log types that you can publish to Amazon CloudWatch for centralized monitoring and analysis. The following table shows the log types available for each engine.
| Database engine | Log types |
| Amazon RDS for MySQL | Error Logs, Slow Query Logs, General Logs, Audit Logs, IAM Database Authentication Error Logs |
| Amazon Aurora MySQL-Compatible Edition | Error Logs, Slow Query Logs, General Logs, Audit Logs, IAM Database Authentication Error Logs |
| Amazon RDS for MariaDB | Error Logs, Slow Query Logs, General Logs, Audit Logs |
| Amazon RDS for SQL Server | Error Logs, Agent Logs |
| Amazon RDS for PostgreSQL | PostgreSQL log, upgrade Logs, IAM Database Authentication Error Logs |
| Amazon Aurora PostgreSQL-Compatible Edition | PostgreSQL log, upgrade Logs, IAM Database Authentication Error Logs |
| Amazon RDS for Oracle | Alert Logs, Trace Logs, Audit Logs, Listener Logs, Oracle Management Agent Logs |
| Amazon RDS for Db2 | Diagnostic Logs, Notify Logs |
Solution overview
This solution uses Kiro with MCP to enable natural language querying of Amazon RDS logs stored in Amazon CloudWatch. The architecture consists of three layers. Kiro CLI communicates with Amazon Bedrock (Anthropic’s Claude model) to interpret your natural language input. The CloudWatch MCP server (awslabs.cloudwatch-mcp-server) translates those interpreted requests into AWS API calls. Amazon CloudWatch returns the relevant RDS log data for analysis.
Kiro
Kiro is an AI-powered conversational assistant designed to assist developers and IT professionals, including DBAs, with tasks ranging from coding to troubleshooting. Available on the command-line interface (CLI), Visual Studio Code, JetBrains IDEs, and mobile apps, it supports natural language queries to generate code, optimize resources, and interact with AWS services. With Kiro you can:
- Write and optimize SQL queries based on natural language prompts.
- Analyze database schemas and generate documentation or diagrams.
- Suggest performance optimization by accessing execution plans and metrics.
- Integrate with AWS services such as Amazon CloudWatch, Amazon RDS for SQL Server/MySQL/PostgreSQL, or Amazon Aurora.
MCP
The Model Context Protocol (MCP) developed by Anthropic is an open protocol that standardizes how applications provide context to large language models (LLMs). MCP enables Kiro to connect to external data sources and tools through lightweight MCP servers. The Kiro CLI acts as an MCP client, facilitating communication between the LLM and the MCP server to Amazon CloudWatch, as shown in the following figure.

Prerequisites
Estimated time to complete: 30 minutes.
Before you begin, make sure you have the following:
- An AWS account. Create one if you don’t already have one.
- Access to an AWS account through the AWS Management Console and the AWS Command Line Interface (AWS CLI).
- Kiro CLI installed on your system.
- The
uvutility from Astral or the GitHub README. - Python version 3.14 installed using the
uvutility. - A database instance with logs configured to stream to Amazon CloudWatch for monitoring and analysis.
Note: For more details, see Amazon CloudWatch Logs billing and cost.
- This solution works with multiple AI models available through Amazon Bedrock. For this post, we use Anthropic’s models in Amazon Bedrock. For more information, see Add or remove access to Amazon Bedrock foundation models.
Configuring MCP servers
The following steps walk you through configuring the AWS MCP server for use with Kiro CLI.
- Set up your AWS profile:
- Verify your Kiro CLI version is 1.9.x or later to use MCP features. You can check the Kiro CLI version by running
kiro-cli --versionin your terminal. - Configure the Amazon CloudWatch MCP server. Kiro CLI supports two levels of MCP configuration:
- Global configuration:
~/.kiro/settings/mcp.jsonapplies across all your projects. - Local configuration:
.kiro/settings/mcp.jsonis specific to the current project.
Choose your preferred configuration level and add the following CloudWatch MCP server configuration to the corresponding
mcp.jsonfile. Replace theAWS_PROFILEandAWS_REGIONplaceholders with your specific AWS profile and Region. - Global configuration:
- Start the conversation with the command
kiro-cli. For more information, see Using chat on the command line. Use the/toolscommand to view available tools and capabilities.
The following screenshot shows Kiro CLI in action, analyzing error logs for an Amazon RDS for MySQL instance.

The following example shows a sample prompt and the response from Kiro CLI analyzing RDS error logs:
Important: Validate MCP recommendations against your managed service’s supported configuration. Not every suggested action is applicable or executable within its scope.
Example prompts using Kiro CLI
The following are example prompts you can use with Kiro CLI to analyze different RDS log types:
- Error log: Analyze error logs for RDS instance [instance name] in [region] from last 7 days and identify top 5 recurring errors with remediation steps.
- Audit log: Review audit logs for RDS instance [instance name] in [region] and identify failed logins, unauthorized access, and privilege escalation events.
- Slow query logs: Analyze slow query logs for RDS instance [instance name] in [region] exceeding 5 seconds in the last 1 hour.
- General log: Examine general logs for RDS instance [instance name] in [region] from last 24 hours and analyze connection patterns and DDL statements.
- Agent log: Analyze SQL Server Agent logs for RDS instance [instance name] in [region] and identify failed jobs with optimization recommendations.
- Diagnostic log: Review diagnostic logs for RDS instance [instance name] in [region] and identify critical system events with performance tuning recommendations.
- Notify log: Analyze notify logs for RDS instance [instance name] in [region] and summarize administrative notifications and operational events.
- IAM authentication error log: Analyze IAM authentication error logs for RDS instance [instance name] in [region] and detect any error patterns with security recommendations.
- Upgrade log: Review upgrade logs for RDS instance [instance name] in [region] and provide comprehensive upgrade success report with lessons learned.
- Alert log: Analyze Oracle alert logs for RDS instance [instance name] in [region] and identify ORA errors with troubleshooting steps.
- Trace log: Examine Oracle trace logs for RDS instance [instance name] in [region] and analyze wait events with query optimization recommendations.
- Listener log: Analyze Oracle listener logs for RDS instance [instance name] in [region] and track connection attempts with network configuration recommendations.
- Oracle Management Agent log: Analyze Oracle Management Agent logs for RDS instance [instance name] in [region] and identify communication failures with troubleshooting steps.
Best practices
The following best practices cover two areas: operational guidance on how to safely act on AI-generated findings, and security guidance on how to protect sensitive log data when using Kiro and MCP for RDS log analysis.
Operational
Do not run any mitigation without first understanding its impact. This is the most important rule in this workflow. Kiro can surface findings, summarize logs, and propose remediation steps, but you must evaluate any suggested action before applying it.
Before executing a change based on an AI-generated recommendation:
- Understand what the change does. Read the command, query, or parameter change in full.
- Validate the assumption behind the recommendation. AI-assisted analysis is pattern-based. The root cause it suggests may be reasonable but not correct for your environment.
- Test in non-production first whenever the change is mutating (for example, parameter group updates, index rebuilds, terminate session commands, schema changes).
- Keep a human in the loop for any production action. Automation is a multiplier, not a substitute for judgment, especially on stateful systems like databases.
Security
When you implement natural language queries for RDS log analysis using Kiro and MCP, you must address security considerations to protect sensitive data and maintain compliance. Database logs can contain personally identifiable information (PII), authentication credentials, IP addresses, query patterns revealing business logic, and schema information that could expose vulnerabilities. The current architecture downloads logs to local workstations through CLI calls, creating risks including data breach exposure, lack of audit trails, and potential violations of compliance frameworks such as HIPAA, PCI-DSS, and GDPR.
To mitigate these risks, implement the following security controls:
Infrastructure security
- Deploy Kiro on Amazon Elastic Compute Cloud (Amazon EC2) instances within the same VPC as your RDS instances rather than local laptops.
- Implement security groups restricting access to only necessary ports and IP ranges.
Access control
- Use IAM roles with least privilege permissions instead of long-term access keys.
- Grant only
rds:DescribeDBInstances,logs:DescribeLogGroups,logs:DescribeLogStreams,logs:FilterLogEvents. - Implement resource-based policies limiting access to specific RDS instances and log groups.
Cleanup
Follow these steps to remove the resources and configurations created during this walkthrough.
Configuration cleanup:
- Remove or comment out the MCP server configuration from the
mcp.jsonfile. - Delete the AWS profile configurations if you created them specifically for this setup.
Software cleanup:
- Uninstall the CloudWatch MCP server:
kiro-cli mcp remove cloudwatch. - Remove Kiro CLI if no longer needed.
File cleanup:
- Remove configuration files (
mcp.json, AWS credentials). - Delete any generated reports or analysis outputs.
Warning: Before deleting analysis outputs, ensure you have archived any reports needed for compliance, auditing, or historical reference. Once deleted, this data cannot be recovered. Consider backing up critical analysis results to Amazon Simple Storage Service (Amazon S3) before deletion.
Although this walkthrough uses an Amazon RDS for MySQL instance, the same approach applies to all RDS and Aurora engine types listed in the log types table.
Conclusion
In this post, you learned how to use Kiro to query Amazon RDS logs through Amazon CloudWatch using natural language. With this approach, you can discover resources (list all RDS log groups), perform time-based analysis (analyze logs between specific date ranges), investigate performance issues (identify slow queries exceeding configurable thresholds such as 10 seconds), diagnose database-specific problems (analyze SQL Server deadlocks), and generate comprehensive error reports for specific instances. This eliminates the need for complex CloudWatch Log Insights queries or manual console navigation, providing actionable insights through conversational commands that target specific instances, time periods, and performance criteria.
To get started, install the Kiro CLI and configure the CloudWatch MCP server. For more information about publishing RDS logs to Amazon CloudWatch, see Publishing database logs to Amazon CloudWatch Logs.