debifrank
commented
4 months ago I found the following from Trend Micro that may be of use:
- Aurora My-SQL DB Logging Exports: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/serverless-log-exports.html
- RDS Log Exports: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/log-exports.html
alex941115
The Cloud profile requirement for AWS 6.15.8 Database logging should be enabled does not currently have a defined "Evidence" process. As a result, it is not clear what assessors should check to determine if a Cloud environment complies with this requirement.
The requirement does link to an AWS Security Hub guideline, [RDS.9] RDS DB instances should publish logs to CloudWatch Logs. That provides a little more detail (in that we're talking about CloudWatch Logs, not some other log destination) and lists the specific logs generated by different database engines that must be published, but doesn't indicate how to determine if they are being published. That page, in turn, links to Specifying the logs to publish to CloudWatch Logs which describes a process for enabling logging to CloudWatch using AWS Console but doesn't indicate how to do it using AWS CLI.
This rule should have a similar level of detail to all other AWS-related rules, including how to verify compliance using AWS CLI.