How can I turn on audit logging for my Amazon Aurora MySQL-Compatible DB cluster and publish the logs to CloudWatch?

Last updated: 2023-01-24

To meet compliance requirements, I want to turn on audit logging on my Amazon Aurora MySQL-Compatible Edition DB cluster to audit database activity. Then, I want to publish the DB logs to Amazon CloudWatch so that I can perform real-time data analysis.

Short description

Use Advanced Auditing with Amazon Aurora to record and audit database events. Database events can include connections, disconnections, tables queried, or types of queries issued (DML, DDL, or DCL) on an Aurora MySQL-Compatible DB cluster. For more information about the type of information included in the log files, see Audit log details.

First, activate the Advanced Auditing parameters on the associated custom DB cluster parameter group. Then, you can publish the Advanced Auditing logs to CloudWatch.

Note: If you use Amazon Relational Database Service (Amazon RDS) for MySQL or MariaDB, see How can I turn on audit logging for an Amazon RDS for MySQL instance or MariaDB instance and publish the logs to CloudWatch?

Resolution

Advanced Auditing supports the following database capacity types:

  • Aurora Provisioned
  • Aurora Provisioned with Aurora parallel query support
  • Aurora Serverless

Note: If you're using Amazon Aurora Serverless v1, complete the following steps to turn on the audit logging parameters. However, you don't need to configure logs to publish to CloudWatch, as Amazon Aurora Serverless v1 clusters automatically upload these types of logs. To configure log uploads for v1 clusters, modify the value of the log types in the DB cluster parameter group.

Turning on Advanced Auditing parameters on the cluster parameter group

  1. Create a custom DB cluster parameter group.
  2. Modify the parameters for Advanced Auditing.
  3. Modify the cluster to associate the new custom DB parameter group with your Aurora MySQL-Compatible DB cluster.

For details about the Advanced Auditing parameters, see Turning on Advanced Auditing. These parameters are dynamic, so you don't need to reboot your DB cluster. When you change the default parameter group to a custom parameter group, manually reboot the DB instance to apply the new group.

Publishing the Advanced Auditing logs to CloudWatch

  1. Open the Amazon RDS console.
  2. Choose Databases from the navigation pane.
  3. Select the Aurora MySQL-Compatible DB cluster that you want to export log data to CloudWatch.
  4. Choose Modify.
  5. From the Log exports section, select Audit log.
  6. Choose Continue.
  7. Review the Summary of modifications, and then choose Modify cluster.

Or, you can publish Advanced Auditing logs to CloudWatch Logs by setting the value for the cluster-level DB parameter server_audit_logs_upload to 1. The default value for the parameter is 0. You can also use the AWS Command Line Interface (AWS CLI) to turn on CloudWatch log exports by running a command similar to the following:

aws rds modify-db-cluster --db-cluster-identifier <mydbcluster> --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'

After turning on audit logging and modifying your instance to export logs, events recorded in audit logs are sent to CloudWatch. Then, you can monitor the log events in CloudWatch.

Note: Audit data don't appear in the logs unless you also define one or more types of events to audit using the server_audit_events parameter.