01 Run modify-db-instance command (OSX/Linux/UNIX) to enable the Log Exports feature for the selected MySQL/MariaDB database instance by adding the --cloudwatch-logs-export-configuration parameter to the command request. The --cloudwatch-logs-export-configuration parameter specifies the log types to be exported to Amazon CloudWatch Logs. The following command request example makes use of --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your MySQL database application. If you skip adding the --apply-immediately parameter to the command request, Amazon RDS will apply your changes during the next maintenance window:
aws rds modify-db-instance
--region us-east-1
--db-instance-identifier cc-project5-mysql-database
--cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit","error","general","slowquery"]}'
--apply-immediately
02 The command output should return the configuration metadata for the modified database instance:
{
"DBInstance": {
"PubliclyAccessible": true,
"MasterUsername": "ccadmin",
"MonitoringInterval": 0,
"LicenseModel": "general-public-license",
"VpcSecurityGroups": [
{
"Status": "active",
"VpcSecurityGroupId": "sg-0abcd1234abcd1234"
},
{
"Status": "active",
"VpcSecurityGroupId": "sg-abcd1234"
}
],
"InstanceCreateTime": "2021-05-12T08:00:00.677Z",
"CopyTagsToSnapshot": true,
"OptionGroupMemberships": [
{
"Status": "in-sync",
"OptionGroupName": "default:mysql-5-7"
}
],
"PendingModifiedValues": {
"PendingCloudwatchLogsExports": {
"LogTypesToEnable": [
"audit",
"error",
"general",
"slowquery"
]
}
},
"Engine": "mysql",
"MultiAZ": false,
"DBSecurityGroups": [],
"DBParameterGroups": [
{
"DBParameterGroupName": "default.mysql5.7",
"ParameterApplyStatus": "in-sync"
}
],
"PerformanceInsightsEnabled": true,
"AutoMinorVersionUpgrade": true,
"PreferredBackupWindow": "06:02-06:32",
"DBSubnetGroup": {
"Subnets": [
{
"SubnetStatus": "Active",
"SubnetIdentifier": "subnet-abcd1234",
"SubnetOutpost": {},
"SubnetAvailabilityZone": {
"Name": "us-east-1d"
}
},
{
"SubnetStatus": "Active",
"SubnetIdentifier": "subnet-1234abcd",
"SubnetOutpost": {},
"SubnetAvailabilityZone": {
"Name": "us-east-1e"
}
},
{
"SubnetStatus": "Active",
"SubnetIdentifier": "subnet-abcdabcd",
"SubnetOutpost": {},
"SubnetAvailabilityZone": {
"Name": "us-east-1b"
}
},
{
"SubnetStatus": "Active",
"SubnetIdentifier": "subnet-12341234",
"SubnetOutpost": {},
"SubnetAvailabilityZone": {
"Name": "us-east-1a"
}
},
{
"SubnetStatus": "Active",
"SubnetIdentifier": "subnet-abcd1234",
"SubnetOutpost": {},
"SubnetAvailabilityZone": {
"Name": "us-east-1f"
}
},
{
"SubnetStatus": "Active",
"SubnetIdentifier": "subnet-1234abcd",
"SubnetOutpost": {},
"SubnetAvailabilityZone": {
"Name": "us-east-1c"
}
}
],
"DBSubnetGroupName": "default-vpc-abcdabcd",
"VpcId": "vpc-abcdabcd",
"DBSubnetGroupDescription": "Created from the AWS Management Console",
"SubnetGroupStatus": "Complete"
},
"ReadReplicaDBInstanceIdentifiers": [],
"AllocatedStorage": 70,
"DBInstanceArn": "arn:aws:rds:us-east-1:123456789012:db:cc-project5-mysql-database",
"BackupRetentionPeriod": 7,
"PreferredMaintenanceWindow": "thu:03:27-thu:03:57",
"Endpoint": {
"HostedZoneId": "ABCDABCDABCD",
"Port": 3306,
"Address": "cc-project5-mysql-database.abcdabcdabcd.us-east-1.rds.amazonaws.com"
},
"DBInstanceStatus": "available",
"IAMDatabaseAuthenticationEnabled": true,
"EngineVersion": "5.7.30",
"DeletionProtection": true,
"AvailabilityZone": "us-east-1a",
"DomainMemberships": [],
"StorageType": "gp2",
"DbiResourceId": "db-ABCDABCDABCDABCDABCDABCDAB",
"CACertificateIdentifier": "rds-ca-2019",
"StorageEncrypted": true,
"AssociatedRoles": [],
"DBInstanceClass": "db.t3.medium",
"DbInstancePort": 0,
"DBInstanceIdentifier": "cc-project5-mysql-database"
}
}
03 Run modify-db-cluster command (OSX/Linux/UNIX) to enable the Log Exports feature for the MySQL database instances within the selected Amazon Aurora cluster by adding the --cloudwatch-logs-export-configuration parameter to the command request. The following command request example makes use of --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your Aurora database application. If you skip adding the --apply-immediately parameter to the command request, Amazon Aurora will apply your changes during the next maintenance window:
aws rds modify-db-cluster
--region us-east-1
--db-cluster-identifier cc-aurora-mysql-cluster
--cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit","error","general","slowquery"]}'
--apply-immediately
04 The command output should return the configuration metadata for the modified Aurora cluster:
{
"DBCluster": {
"MasterUsername": "ccadmin",
"ReaderEndpoint": "cc-aurora-mysql-cluster.cluster-ro-abcdabcdabcd.us-east-1.rds.amazonaws.com",
"HttpEndpointEnabled": false,
"ReadReplicaIdentifiers": [],
"VpcSecurityGroups": [
{
"Status": "active",
"VpcSecurityGroupId": "sg-0abcd1234abcd1234"
},
{
"Status": "active",
"VpcSecurityGroupId": "sg-abcd1234"
}
],
"CopyTagsToSnapshot": false,
"HostedZoneId": "ABCDABCDABCDAB",
"EngineMode": "provisioned",
"Status": "available",
"MultiAZ": false,
"LatestRestorableTime": "2021-05-12T09:00:00.162Z",
"DomainMemberships": [],
"PreferredBackupWindow": "04:06-04:36",
"DBSubnetGroup": "default-vpc-abcdabcd",
"AllocatedStorage": 30,
"BackupRetentionPeriod": 7,
"PreferredMaintenanceWindow": "tue:05:48-tue:06:18",
"Engine": "aurora-mysql",
"Endpoint": "cc-aurora-mysql-cluster.cluster-abcdabcdabcd.us-east-1.rds.amazonaws.com",
"AssociatedRoles": [],
"EarliestRestorableTime": "2021-05-12T09:03:00.657Z",
"CrossAccountClone": false,
"IAMDatabaseAuthenticationEnabled": false,
"ClusterCreateTime": "2021-05-12T09:00:00.853Z",
"EngineVersion": "5.7.mysql_aurora.2.07.2",
"DeletionProtection": true,
"DBClusterIdentifier": "cc-aurora-mysql-cluster",
"DbClusterResourceId": "cluster-ABCDABCDABCDABCDABCDABCDAB",
"DBClusterMembers": [
{
"IsClusterWriter": true,
"DBClusterParameterGroupStatus": "in-sync",
"PromotionTier": 1,
"DBInstanceIdentifier": "cc-aurora-mysql-cluster-instance-1"
}
],
"DBClusterArn": "arn:aws:rds:us-east-1:123456789012:cluster:cc-aurora-mysql-cluster",
"StorageEncrypted": false,
"DatabaseName": "",
"DBClusterParameterGroup": "default.aurora-mysql5.7",
"AvailabilityZones": [
"us-east-1c",
"us-east-1d",
"us-east-1a"
],
"Port": 3306
}
}
05 Repeat steps no. 1 – 4 for each MySQL, Aurora MySQL, and MariaDB database instance available in the selected AWS region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.