Ensure Postgres RDS has Query Logging enabled
Error: Postgres RDS does not have Query Logging enabled
Bridgecrew Policy ID: BC_AWS_GENERAL_96
Checkov Check ID: CKV2_AWS_30
Severity: LOW
Ensure Postgres RDS as aws_db_instance has Query Logging enabled
Description
This check ensures that you have enabled query logging set up for your PostgreSQL database instance. An instance needs to have a non-default parameter group and two parameters set - that of log_statement and log_min_duration_statement, these need to be set to all and 1 respectively to get sufficient logs.
Note
Setting querying logging can expose secrets (including passwords) from your queries, - restrict and encrypt to mitigate.
Fix - Buildtime
Terraform
You will need to have a resource aws_db_instance that refers to your aws_db_parameter_group attribute: parameter_group_name. With that in place the following parameters need to be set:
resource "aws_db_parameter_group" "examplea" {
name = "rds-cluster-pg"
family = "postgres10"
+ parameter {
+ name="log_statement"
+ value="all"
+ }
+ parameter {
+ name="log_min_duration_statement"
+ value="1"
+ }
}
For more details see the aws docs here: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_LogAccess.Concepts.PostgreSQL.html
Updated about 1 year ago