Ensure Postgres RDS has Query Logging enabled

Error: Postgres RDS does not have Query Logging enabled

Bridgecrew Policy ID: BC_AWS_GENERAL_96
Checkov Check ID: CKV2_AWS_30
Severity: LOW

Ensure Postgres RDS as aws_db_instance has Query Logging enabled


This check ensures that you have enabled query logging set up for your PostgreSQL database instance. An instance needs to have a non-default parameter group and two parameters set - that of log_statement and log_min_duration_statement, these need to be set to all and 1 respectively to get sufficient logs.

Setting querying logging can expose secrets (including passwords) from your queries, - restrict and encrypt to mitigate.

Fix - Buildtime


You will need to have a resource aws_db_instance that refers to your aws_db_parameter_group attribute: parameter_group_name. With that in place the following parameters need to be set:

resource "aws_db_parameter_group" "examplea" {
  name = "rds-cluster-pg"
  family      = "postgres10"

+  parameter {
+    name="log_statement"
+    value="all"
+  }

+  parameter {
+    name="log_min_duration_statement"
+    value="1"
+  }

For more details see the aws docs here: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_LogAccess.Concepts.PostgreSQL.html