Updated on 2025-08-25 GMT+08:00

RDS Instances Have Audit Log Enabled

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

rds-instance-enable-auditLog

Identifier

rds-instance-enable-auditLog

Description

If an RDS instance does not have the audit log enabled or has audit logs kept for less than the specified number of days, this instance is non-compliant.

Tag

rds

Trigger Type

Configuration change

Filter Type

rds.instances

Rule Parameters

keepDays: number of days for storing audit logs

Application Scenarios

The database audit function records all user operations on the database in real time. This function logs, analyzes, and reports user activities in the database. Based on the audit logs, you can prepare compliance reports and track incidents, improving data asset security. For details, see Enabling Database Audit for Post-Event Backtracking.

Solution

Configure an audit log policy for your RDS instances as required. For details, see Setting SQL Audit and Enabling SQL Audit.

Rule Logic

  • If SQL audit is enabled for an RDS instance and the audit logs are retained for at least the required period, the instance is compliant.
  • If SQL audit is enabled for an RDS instance but the audit logs are retained for less than the required period, the instance is non-compliant.
  • If SQL audit is not enabled for an RDS instance, the instance is non-compliant.