How can I enable Advanced Auditing for my Amazon Aurora MySQL DB cluster and then publish the logs to CloudWatch?

Last updated: 2019-07-30

To meet compliance requirements, I want to enable audit logging on my Amazon Aurora MySQL DB cluster to audit database activity. Then, I want to publish the DB logs to Amazon CloudWatch so that I can perform real-time data analysis. How can I do this?

Short Description

Use Advanced Auditing with Amazon Aurora to record and audit database events such as connections, disconnections, tables queried, or types of queries issued (DML, DDL, or DCL) on an Aurora MySQL DB cluster. For more information about the type of information included in the log files, see Audit Log Details.

First, enable the Advanced Auditing parameters on the associated custom DB cluster parameter group. Then, you can publish the Advanced Auditing logs to CloudWatch.

Note: If you use Amazon Relational Database Service (Amazon RDS) for MySQL or MariaDB, see How can I enable audit logging for an Amazon RDS MySQL or MariaDB instance and publish the logs to CloudWatch?

Resolution

Advanced Auditing supports the following database capacity types:

  • Aurora Provisioned
  • Aurora Provisioned with Aurora parallel query support and
  • Aurora Serverless

If you use Aurora Serverless, you must enable the audit logging parameters, but you don't need to enable exporting logs to CloudWatch. Aurora Serverless clusters automatically upload the types of logs that you enable through the configuration parameters, so you enable or disable log uploads for Aurora Serverless clusters by modifying the value of the different log types in the DB cluster parameter group.

Enabling Advanced Auditing parameters on the cluster parameter group

  1. Create a custom DB cluster parameter group.
  2. Modify the parameters for Advanced Auditing.
  3. Modify the cluster to associate the new custom DB parameter group with your Aurora MySQL DB cluster.

For details about the Advanced Auditing parameters, see Enabling Advanced Auditing. These parameters are dynamic, so you don't need to reboot your DB cluster. However, when you change the parameter group from default to a custom parameter group, you must manually reboot the DB instance to apply the new DB parameter group.

Publishing the Advanced Auditing logs to CloudWatch

  1. Open the Amazon RDS console.
  2. Choose Databases from the navigation pane.
  3. Select the Aurora MySQL DB cluster for which you want to export log data to CloudWatch.
  4. Choose Modify.
  5. From the Log exports section, select Audit log.
  6. Choose Continue.
  7. Review the Summary of modifications, and choose Modify cluster.

Or, you can publish Advanced Auditing logs to CloudWatch Logs by setting the value for the cluster-level DB parameter server_audit_logs_upload to 1. The default value for the parameter is 0. You can also use the AWS Command Line Interface (AWS CLI) to enable CloudWatch log exports by running a command similar to the following:

aws rds modify-db-cluster --db-cluster-identifier <mydbcluster> --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'

After enabling audit logging and modifying your instance to export logs, events recorded in audit logs are sent to CloudWatch. Then, you can monitor the log events in CloudWatch