Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Ensure replication commands have not been sent to an unexpected host - Aurora PostgreSQL Serverless V2

0

My company had been tasked with ensuring'replication commands that are executed in your database cluster are not off-loaded to an unexpected/undesired location'. As mitigation, log_replication_commands was enabled and as a result we seem to generate over 10gb of logs over a couple of days. We are seeking out other methods for compliance as this seems rather costly. As an alternative, I am considering querying pg_stat_replication on an interval and compare against what's expected, alerting when not. Is this sufficient or are there other possible scenarios where commands can be offloaded?

  • Florian Turnwald EXPERT
    2 months ago

    If my answer helped solve your problem, I would appreciate it if you click on “accepted answer”

Topics
AnalyticsManagement & GovernanceDeveloper ToolsDatabaseSecurity, Identity, & Compliance
Tags
PostgreSQLSecurity, Identity, & ComplianceMonitoring & LoggingAmazon Aurora
Language
English
asked 2 months ago102 views
2 Answers
2

To maintain compliance without the overhead of log_replication_commands (which can generate 10GB+ of logs), you can pivot to a multi-layered monitoring strategy using AWS Config and AWS CloudTrail.

Instead of just logging unauthorized access, prevent it and audit the configuration:

  • AWS Config Managed Rules: Deploy rds-instance-public-access-check and vpc-sg-open-only-to-authorized-ports. This provides cryptographic evidence that the database port (5432) was never exposed to the public internet or untrusted CIDRs.
  • CloudTrail & IAM Auth: Enable IAM Database Authentication. This records every connection request (rds-db:connect) in CloudTrail. It allows you to audit who accessed the database without needing verbose engine logs.

To replace the specific logging of replication commands, use an AWS Config Custom Rule backed by an AWS Lambda function.

  • The Lambda function periodically queries the database to ensure no unauthorized replication infrastructure exists.
  • If an unexpected host or slot is found, AWS Config marks the resource as NON_COMPLIANT. This creates a timestamped record for auditors, proving the environment was in a "Known Good" state at every check interval.

CloudTrail: Monitor the ModifyDBSnapshotAttribute API call. This prevents/audits the "off-loading" of data via unauthorized RDS snapshot sharing with external AWS accounts.

RDS Event Subscriptions: Enable these to capture cluster-level changes (e.g., adding a Cross-Region Replica or a Global Database member), providing an audit trail for infrastructure-based replication.

So, by implementing AWS Config Custom Rules to audit internal replication states, you transition from reactive log-diving to proactive alerting. You satisfy the compliance requirement by proving the environment remains in a "Known Good" state, significantly reducing costs by only paying for the minimal execution time of the Lambda function.

EXPERT
answered 2 months ago
0

Use PostgreSQL monitoring (pg_stat_replication, replication slots, and subscriptions) along with network restrictions and AWS governance controls like Disallow AWS Regions and AWS Organizations Service Control Policies to prevent and detect unauthorized replication without heavy logging. https://docs.aws.amazon.com/controltower/latest/controlreference/ou-region-deny.html

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content