RDS.45: Aurora MySQL audit logging is off

What does AWS Security Hub RDS.45 check?

RDS.45 checks whether an Aurora MySQL cluster publishes audit logs to CloudWatch Logs. It reports FAILED unless the Advanced Auditing plugin is enabled in the cluster parameter group and audit appears in the cluster's EnabledCloudwatchLogsExports.

Why does RDS.45 matter?

Aurora MySQL's built-in Advanced Auditing records connection events, queries, and schema changes with minimal overhead. Without it you have no record of who connected, what they ran, or which schema changed when — slow-query and error logs tell you nothing about a SELECT against the customers table at 3am from an unrecognised role. A breach investigation against a cluster with no audit log is guesswork, and most regulators (SOC 2, HIPAA, PCI DSS) treat "no log" as equivalent to "no control."

How do I fix RDS.45?

1. Enable the Advanced Auditing plugin in the cluster parameter group (server_audit_logging=1) and choose a deliberate server_audit_events filter — CONNECT, QUERY_DDL, and QUERY_DCL rather than every statement — to keep ingestion low.
2. Add audit to the cluster's CloudWatch Logs exports via modify-db-cluster --cloudwatch-logs-exports-configuration.
3. Set a retention policy on the resulting log group, archiving older logs to S3/Glacier for the multi-year windows HIPAA and SOX require.
4. Verify the audit log group is receiving data.

# Enable CloudWatch log export on a flagged RDS instance, then cap retention.
aws rds modify-db-instance \
  --db-instance-identifier prod-orders-pg \
  --cloudwatch-logs-exports-configuration 'EnableLogTypes=["postgresql","upgrade"]' \
  --apply-immediately

aws logs put-retention-policy \
  --log-group-name /aws/rds/instance/prod-orders-pg/postgresql \
  --retention-in-days 90

# Enable audit logging on a Redshift cluster to a policy-attached S3 bucket.
aws redshift enable-logging \
  --cluster-identifier analytics-prod \
  --bucket-name redshift-audit-logs-acct123 \
  --s3-key-prefix analytics-prod/