Ensure the audit log is being generated (the Advanced Auditing plugin enabled in the cluster parameter group). Add audit to the cluster's CloudWatch Logs exports with modify-db-cluster --cloudwatch-logs-exports-configuration. Set a retention policy on the resulting log group and build metric filters/alarms on the audit stream. Standardise this across Aurora MySQL clusters in IaC.

Compliance Medium severity

AWS Security Hub · RDS

RDS.34: Aurora MySQL clusters should export audit logs to CW

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub RDS.34 check?

RDS.34 checks whether an Aurora MySQL DB cluster publishes its audit logs to CloudWatch Logs. It reports FAILED when audit is not in the cluster's CloudWatch Logs exports. It does not generate findings for Aurora Serverless v1 clusters.

Why does RDS.34 matter?

RDS.34 is not about whether auditing is switched on — it is about whether the resulting logs are shipped somewhere durable. A cluster can be diligently writing audit records (who logged in, what queries ran, what schema changed) and still fail, because by default that trail lives only on the database host where it rotates, ages out, and disappears the moment the instance is replaced or recovered. Logs that only exist locally are logs you effectively do not have when you need them most. It maps to logging and accountability requirements in NIST 800-53 and PCI DSS 4.0.1.

How do I fix RDS.34?

Ensure the audit log is being generated (the Advanced Auditing plugin enabled in the cluster parameter group).
Add audit to the cluster's CloudWatch Logs exports with modify-db-cluster --cloudwatch-logs-exports-configuration.
Set a retention policy on the resulting log group and build metric filters/alarms on the audit stream.
Standardise this across Aurora MySQL clusters in IaC.

Remediation script · bash

# Move the highest-impact databases onto IAM authentication first (free, no reboot).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?IAMDatabaseAuthenticationEnabled==`false`].DBInstanceIdentifier' \
    --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --enable-iam-database-authentication --apply-immediately
  echo "$db: IAM database authentication enabled"
done

# Find every instance still using a default admin username (immutable; needs migration).
aws rds describe-db-instances \
  --query "DBInstances[?contains(['admin','postgres','root','sa','master','mysql','dbadmin'], MasterUsername)].[DBInstanceIdentifier,MasterUsername]" \
  --output table

# Recreate one of those with a non-default master username set explicitly at creation.
aws rds restore-db-cluster-from-snapshot \
  --db-cluster-identifier prod-orders-db-v2 \
  --snapshot-identifier prod-orders-db-pre-rename \
  --engine aurora-postgresql

Full walkthrough (console steps, edge cases and verification) in the lesson Harden database auth, ports and access.

Is RDS.34 a false positive?

Having auditing enabled is not enough — RDS.34 only passes when audit appears in the cluster's EnabledCloudwatchLogsExports. Generating the trail and exporting it are two distinct settings.

Full lesson Harden database auth, ports and access Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for RDS controls ↗ Check your own account for RDS.34 →

Part of the learning path Tighten your databases

RDS.1 An RDS snapshot is shared publicly
RDS.2 An RDS instance is publicly accessible from the internet
RDS.3 RDS DB instances should be encrypted at rest
RDS.4 RDS snapshots should be encrypted at rest
RDS.5 RDS DB instances should use multiple AZs
RDS.6 RDS lacks enhanced monitoring
RDS.7 RDS clusters should have deletion protection
RDS.8 RDS DB instances should have deletion protection
RDS.9 RDS engine logs are not shipped to CloudWatch
RDS.10 RDS relies on long-lived database passwords
RDS.11 RDS instances should have automatic backups
RDS.12 IAM auth should be configured for RDS clusters