DocDB missing from the RDS Logging Enabled

[rhardingpax8]

The query rds_db_instance_logging_enabled uses the rds_db_instances table, which reports back docdb as one of the Db types in the Database. However the query doesn't account for this type of database, and so always reports error when the

https://hub.steampipe.io/mods/turbot/aws_compliance/queries/rds_db_instance_logging_enabled

I believe the following code lines can be added to the file

Line 11 when engine like 'docdb%' and enabled_cloudwatch_logs_exports ?& array ['audit','profiler'] then 'ok'

Line 25-26 when engine like 'docdb%' and enabled_cloudwatch_logs_exports ?& array ['audit','profiler'] then title || ' ' || engine || ' logging enabled.'

[github-actions[bot]]

'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.'

[karanpopat]

Hey @robh-wirehive, thanks for using Steampipe, and thanks for the suggestion.

Looking at the config rule for rds-logging-enabled, it does not specifically recommend for the DocDB instances as of now.

On trying with AWS Config we get the results as you see below. We had a DocDB instance live with logging disabled, but it wasn't detected by the config rule, but the RDS instance was.

[rhardingpax8]

Hey @karanpopat - thanks for the research and looking at this. What i am seeing then is a false positive, as Steampipe/AWS sees DocDB as a RDS Instance service, and therefore puts the service as non compliant when logs are not enabled for this resource. So would it be needed that DocDB is not included in this check?

Thanks

[misraved]

Fixed in https://github.com/turbot/steampipe-mod-aws-compliance/pull/660

[misraved]

@robh-wirehive we have updated the query to filter out the DocDB resources. Please let us know if this PR fixes your issue 👍 .

Thanks for continuously tracking and testing the changes.

Great collaboration 🎉

[rhardingpax8]

Thank you @misraved for the quick turn around :)