Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · RDS

RDS.37: Aurora PostgreSQL clusters should export logs to CW

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub RDS.37 check?

RDS.37 checks whether an Aurora PostgreSQL DB cluster (AWS::RDS::DBCluster) publishes the postgresql log type to CloudWatch Logs. It reports FAILED when those logs are not being exported.

Why does RDS.37 matter?

Aurora PostgreSQL's log stream — slow queries, connection errors, fatal events, and whatever log_statement and log_min_duration_statement capture — lives on the database host by default, rotated and discarded on Aurora's schedule. It is not centralised, searchable across clusters, durably retained, or available to alarms, and it is gone the moment the cluster fails over or reboots. The absence is invisible until the exact moment you need the logs in an incident or audit and the answer is "we don't have it." It maps to PCI DSS 4.0.1 requirement 10.4.2.

How do I fix RDS.37?

  1. Enable the export with modify-db-cluster --cloudwatch-logs-exports-configuration 'EnableLogTypes=["postgresql"]'.
  2. Tune log_min_duration_statement in the cluster parameter group so verbosity is useful but not wasteful.
  3. Set a retention policy on the resulting log group to cap cost.
  4. Standardise the export across Aurora PostgreSQL clusters in IaC.

Remediation script · bash

# Move the highest-impact databases onto IAM authentication first (free, no reboot).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?IAMDatabaseAuthenticationEnabled==`false`].DBInstanceIdentifier' \
    --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --enable-iam-database-authentication --apply-immediately
  echo "$db: IAM database authentication enabled"
done

# Find every instance still using a default admin username (immutable; needs migration).
aws rds describe-db-instances \
  --query "DBInstances[?contains(['admin','postgres','root','sa','master','mysql','dbadmin'], MasterUsername)].[DBInstanceIdentifier,MasterUsername]" \
  --output table

# Recreate one of those with a non-default master username set explicitly at creation.
aws rds restore-db-cluster-from-snapshot \
  --db-cluster-identifier prod-orders-db-v2 \
  --snapshot-identifier prod-orders-db-pre-rename \
  --engine aurora-postgresql

Full walkthrough (console steps, edge cases and verification) in the lesson Harden database auth, ports and access.

Full lesson Harden database auth, ports and access Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for RDS controls ↗ Check your own account for RDS.37 →
Part of the learning path Tighten your databases

More RDS controls

  • RDS.1 An RDS snapshot is shared publicly
  • RDS.2 An RDS instance is publicly accessible from the internet
  • RDS.3 RDS DB instances should be encrypted at rest
  • RDS.4 RDS snapshots should be encrypted at rest
  • RDS.5 RDS DB instances should use multiple AZs
  • RDS.6 RDS lacks enhanced monitoring
  • RDS.7 RDS clusters should have deletion protection
  • RDS.8 RDS DB instances should have deletion protection
  • RDS.9 RDS engine logs are not shipped to CloudWatch
  • RDS.10 RDS relies on long-lived database passwords
  • RDS.11 RDS instances should have automatic backups
  • RDS.12 IAM auth should be configured for RDS clusters