Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs¶

This control checks whether an Amazon Aurora PostgreSQL DB cluster is configured to publish logs to Amazon CloudWatch Logs. The control fails if the Aurora PostgreSQL DB cluster isn't configured to publish PostgreSQL logs to CloudWatch Logs.

How to fix¶

Attribute enabled_cloudwatch_logs_exports of aws_rds_cluster must be non-empty.

Implementation options¶

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Open source module (terraform-aws-modules)¶

If you use terraform-aws-modules/rds-aurora/aws, configure the required module inputs to satisfy this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "rds_aurora" {
  source  = "terraform-aws-modules/rds-aurora/aws"
  version = ">=10.0.0,<11.0.0"

  engine         = "aurora-postgresql"
  engine_version = "16.1"
  instances = {
    one = {
      instance_class = "db.r6g.large"
    }
  }
  master_username = "root"
  name            = "abc123"
  subnets         = []
  vpc_id          = ""
}

Option 2: Terraform AWS provider resources¶

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_rds_cluster.

resource "aws_rds_cluster" "this" {
  backtrack_window                = 72
  cluster_identifier              = "pofix-example-cluster"
  enabled_cloudwatch_logs_exports = ["audit", "postgresql"]
  engine                          = "aurora-mysql"
  master_password                 = "ChangeMe123!"
  master_username                 = "dbadmin"
}

Tool mappings¶

Use these identifiers to cross-reference this control across tools, reports, and evidence.

• Compliance.tf (CTF) Control: rds_db_cluster_aurora_postgres_logging_enabled

• AWS Config Managed Rule: RDS_AURORA_POSTGRESQL_LOGS_TO_CLOUDWATCH

• Powerpipe Control: aws_compliance.control.rds_db_cluster_aurora_postgres_logging_enabled