To meet compliance requirements, I want to audit database activity on my Amazon Aurora MySQL-Compatible Edition DB cluster. Then, I want to publish the logs to Amazon CloudWatch to analyze my real-time data.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Use Advanced Auditing to record and audit database events such as connections, disconnections, queried tables, and query type. You can use Advanced Auditing for Aurora, Aurora with parallel query support, and Aurora Serverless database capacity types.
If you use Amazon Relational Database Service (Amazon RDS) for MySQL or MariaDB, then see How can I activate audit logging for an Amazon RDS for MySQL or MariaDB instance and publish the logs to CloudWatch?
To use audit logging, activate Advanced Auditing. Then, publish the logs to CloudWatch.
Activate Advanced Auditing
Complete the following steps:
- Create a custom DB cluster parameter group.
- Modify the parameters for Advanced Auditing.
- Modify the cluster to associate the new custom DB parameter group with your Aurora MySQL-Compatible DB cluster.
The parameters are dynamic, so you don't need to reboot your DB cluster. If you change the default parameter group to a custom parameter group, then you must manually reboot the DB instance.
Publish the logs to CloudWatch
To publish the Advanced Auditing logs to CloudWatch, use the Amazon RDS console or the AWS CLI. Or, set the value for the cluster DB server_audit_logs_upload parameter to 1. The default value for the parameter is 0.
Use CloudWatch to monitor the log events.
Note: For audit data to appear in the logs, you must use the server_audit_events parameter to define one or more types of events to audit.
For more information about the type of information that you can find in the log files, see Audit log details.
Related information
Auditing an Amazon Aurora cluster
Publishing Amazon Aurora MySQL logs to Amazon CloudWatch Logs