AWS Security ChangesHomeSearch

AWS securityhub medium security documentation change

Service: securityhub · 2025-07-16 · Security-related medium

File: securityhub/latest/userguide/rds-controls.md

Summary

Added new control [RDS.45] requiring audit logging for Aurora MySQL DB clusters

Security assessment

The change introduces a security control requiring audit logging to capture database activity for security/compliance audits. It explicitly references NIST security standards and addresses detection of unauthorized access/modifications through logging.

Diff

diff --git a/securityhub/latest/userguide/rds-controls.md b/securityhub/latest/userguide/rds-controls.md
index 7cbd64cb6..ebc9824b8 100644
--- a//securityhub/latest/userguide/rds-controls.md
+++ b//securityhub/latest/userguide/rds-controls.md
@@ -5 +5 @@
-[RDS.1] RDS snapshot should be private[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration[RDS.3] RDS DB instances should have encryption at-rest enabled[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest[RDS.5] RDS DB instances should be configured with multiple Availability Zones[RDS.6] Enhanced monitoring should be configured for RDS DB instances[RDS.7] RDS clusters should have deletion protection enabled[RDS.8] RDS DB instances should have deletion protection enabled[RDS.9] RDS DB instances should publish logs to CloudWatch Logs[RDS.10] IAM authentication should be configured for RDS instances[RDS.11] RDS instances should have automatic backups enabled[RDS.12] IAM authentication should be configured for RDS clusters[RDS.13] RDS automatic minor version upgrades should be enabled[RDS.14] Amazon Aurora clusters should have backtracking enabled[RDS.15] RDS DB clusters should be configured for multiple Availability Zones[RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots[RDS.17] RDS DB instances should be configured to copy tags to snapshots[RDS.18] RDS instances should be deployed in a VPC[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events[RDS.22] An RDS event notifications subscription should be configured for critical database security group events[RDS.23] RDS instances should not use a database engine default port[RDS.24] RDS Database clusters should use a custom administrator username[RDS.25] RDS database instances should use a custom administrator username[RDS.26] RDS DB instances should be protected by a backup plan[RDS.27] RDS DB clusters should be encrypted at rest[RDS.28] RDS DB clusters should be tagged[RDS.29] RDS DB cluster snapshots should be tagged[RDS.30] RDS DB instances should be tagged[RDS.31] RDS DB security groups should be tagged[RDS.32] RDS DB snapshots should be tagged[RDS.33] RDS DB subnet groups should be tagged[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit[RDS.39] RDS for MySQL DB instances should be encrypted in transit[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs[RDS.41] RDS for SQL Server DB instances should be encrypted in transit[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs[RDS.44] RDS for MariaDB DB instances should be encrypted in transit
+[RDS.1] RDS snapshot should be private[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration[RDS.3] RDS DB instances should have encryption at-rest enabled[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest[RDS.5] RDS DB instances should be configured with multiple Availability Zones[RDS.6] Enhanced monitoring should be configured for RDS DB instances[RDS.7] RDS clusters should have deletion protection enabled[RDS.8] RDS DB instances should have deletion protection enabled[RDS.9] RDS DB instances should publish logs to CloudWatch Logs[RDS.10] IAM authentication should be configured for RDS instances[RDS.11] RDS instances should have automatic backups enabled[RDS.12] IAM authentication should be configured for RDS clusters[RDS.13] RDS automatic minor version upgrades should be enabled[RDS.14] Amazon Aurora clusters should have backtracking enabled[RDS.15] RDS DB clusters should be configured for multiple Availability Zones[RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots[RDS.17] RDS DB instances should be configured to copy tags to snapshots[RDS.18] RDS instances should be deployed in a VPC[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events[RDS.22] An RDS event notifications subscription should be configured for critical database security group events[RDS.23] RDS instances should not use a database engine default port[RDS.24] RDS Database clusters should use a custom administrator username[RDS.25] RDS database instances should use a custom administrator username[RDS.26] RDS DB instances should be protected by a backup plan[RDS.27] RDS DB clusters should be encrypted at rest[RDS.28] RDS DB clusters should be tagged[RDS.29] RDS DB cluster snapshots should be tagged[RDS.30] RDS DB instances should be tagged[RDS.31] RDS DB security groups should be tagged[RDS.32] RDS DB snapshots should be tagged[RDS.33] RDS DB subnet groups should be tagged[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit[RDS.39] RDS for MySQL DB instances should be encrypted in transit[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs[RDS.41] RDS for SQL Server DB instances should be encrypted in transit[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs[RDS.44] RDS for MariaDB DB instances should be encrypted in transit[RDS.45] Aurora MySQL DB clusters should have audit logging enabled
@@ -1222,0 +1223,24 @@ For information about enabling SSL/TLS for connections to an Amazon RDS for Mari
+## [RDS.45] Aurora MySQL DB clusters should have audit logging enabled
+
+**Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8)
+
+**Category:** Identify > Logging
+
+**Severity:** Medium
+
+**Resource type:** `AWS::RDS::DBCluster`
+
+**AWS Config rule:** [aurora-mysql-cluster-audit-logging](https://docs.aws.amazon.com/config/latest/developerguide/aurora-mysql-cluster-audit-logging.html)
+
+**Schedule type:** Periodic
+
+**Parameters:** None
+
+This control checks whether an Amazon Aurora MySQL DB cluster has audit logging enabled. The control fails if the DB parameter group associated with the DB cluster is not in sync, the `server_audit_logging` parameter is not set to `1`, or the `server_audit_events` parameter is set to an empty value.
+
+Database logs can assist with security and access audits and help diagnose availability issues. Audit logs capture a record of database activity, including login attempts, data modifications, schema changes, and other events that can be audited for security and compliance purposes.
+
+### Remediation
+
+For information about enabling logging for an Amazon Aurora MySQL DB cluster, see [Publishing Amazon Aurora MySQL logs to Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.CloudWatch.html) in the _Amazon Aurora User Guide_.
+