Ensure PGAudit is enabled on RDS Postgres instances

Error: PGAudit is not enabled on RDS Postgres instances

Bridgecrew Policy ID: BC_AWS_GENERAL_36
Severity: LOW

PGAudit is not enabled on RDS Postgres instances


Postgres database instances can be enabled for auditing with PGAudit, the PostgresSQL Audit Extension. With PGAudit enabled you will be able to audit any database, its roles, relations, or columns.

See the PGAudit for a full description of the auditing features.

Fix - Runtime

AWS Console

To view Scheduled Events, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Navigate to the AMazon RDS console.
  3. Select "Parameter Groups".
  4. If you are using the default group you must create a new group. Select your new or non default group.
  5. In the Parameter search bar, enter pgaudit.role.
  6. Select Edit Parameter and set the value to rds_pgaudit. When editing is finished, click Save.
  7. If you have created a new group you must edit your Instances setting.
  8. To view your DB instances, select Databases from the navigation pane.
  9. Select and modify your DB identifier.
  10. In Database options, select the DB parameter group dropdown and your new group, then click Continue.
  11. Select to apply now or in your next scheduled maintenance window.

Fix - Buildtime


This buildtime fix requires a combination of resources: the RDS instance and a customer db parameter group.
Ensure that var.family is set to one of the Postgres options, for example, postgres11/12.



When updating the parameter group on your db instance, make a note of the apply_method setting. This will help to avoid outages.

Resource aws_db_instance + aws_db_parameter_group

resource "aws_db_instance" "instance" {
   parameter_group_name = aws_db_parameter_group.custom.name

resource "aws_db_parameter_group" "custom" {
  name        = var.custom_db_group_name
  family = var.family
  parameter {
    #can be pending-reboot or immediate, but immediate will reboot your db
    apply_method = "pending-reboot"
    name         = "shared_preload_libraries"
    value        = "pgaudit"

  parameter {
    apply_method = "pending-reboot"
    name         = "pgaudit.role"
    value        = "rds_pgaudit"