Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · RDS

RDS.40: RDS SQL Server should export logs to CW

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub RDS.40 check?

RDS.40 checks whether an RDS for SQL Server instance publishes its logs to CloudWatch Logs. It reports FAILED when the instance is not exporting the log types in the parameter list — by default agent and error.

Why does RDS.40 matter?

RDS for SQL Server writes two operationally important streams: the error log (startup, shutdown, restarts, failed logins, corruption warnings) and the Agent log (success and failure of scheduled jobs, backups, and maintenance). By default these live on the database host, accessible only via the console or download-db-log-file-portion, and they roll over and disappear as the instance ages or fails over — exactly when an auditor or incident responder needs them most. It maps to NIST AU-2, AU-3, AU-6, and AU-12.

How do I fix RDS.40?

  1. Enable the export with modify-db-instance --cloudwatch-logs-exports-configuration 'EnableLogTypes=["agent","error"]'.
  2. Set a retention policy on the resulting log groups.
  3. Build metric filters and alarms on patterns like repeated restarts or a string of failed agent jobs.
  4. Standardise the export across SQL Server instances in IaC.

Remediation script · bash

# Verify the prerequisite first: API Gateway's account-level CloudWatch role.
# Without it, the logging setting saves but no logs ever flow.
aws apigateway get-account --query 'cloudwatchRoleArn' --output text

# Enable ERROR-level execution logging on every stage of a REST API.
REST_API=a1b2c3d4e5
for STAGE in $(aws apigateway get-stages --rest-api-id $REST_API \
  --query 'item[].stageName' --output text); do
  aws apigateway update-stage --rest-api-id $REST_API --stage-name $STAGE \
    --patch-operations op=replace,path=/*/*/logging/loglevel,value=ERROR
done

# Cap retention on the log group so storage stays bounded (do this every time you enable logging).
aws logs put-retention-policy \
  --log-group-name "API-Gateway-Execution-Logs_${REST_API}/prod" \
  --retention-in-days 90

# Example for a managed database: publish engine logs to CloudWatch (no per-event charge).
aws rds modify-db-instance --db-instance-identifier prod-db \
  --cloudwatch-logs-export-configuration 'EnableLogTypes=["error","audit"]' --apply-immediately

Full walkthrough (console steps, edge cases and verification) in the lesson Enable application and API logging.

Full lesson Enable application and API logging Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for RDS controls ↗ Check your own account for RDS.40 →
Part of the learning path See what's happening

More RDS controls

  • RDS.1 An RDS snapshot is shared publicly
  • RDS.2 An RDS instance is publicly accessible from the internet
  • RDS.3 RDS DB instances should be encrypted at rest
  • RDS.4 RDS snapshots should be encrypted at rest
  • RDS.5 RDS DB instances should use multiple AZs
  • RDS.6 RDS lacks enhanced monitoring
  • RDS.7 RDS clusters should have deletion protection
  • RDS.8 RDS DB instances should have deletion protection
  • RDS.9 RDS engine logs are not shipped to CloudWatch
  • RDS.10 RDS relies on long-lived database passwords
  • RDS.11 RDS instances should have automatic backups
  • RDS.12 IAM auth should be configured for RDS clusters