RDS.9: RDS engine logs are not shipped to CloudWatch

What does AWS Security Hub RDS.9 check?

RDS.9 checks whether an RDS DB instance publishes its engine logs to CloudWatch Logs. It reports FAILED when EnabledCloudwatchLogsExports is empty — nothing is being shipped off the instance for that engine.

Why does RDS.9 matter?

By default RDS engine logs (PostgreSQL's postgresql.log, MySQL's error and slow logs, Oracle's alert log, SQL Server's error log) live only on the instance's local disk and rotate away on a size or time schedule. They vanish silently before most incidents, and they die entirely when the instance is replaced by a failover, scale-up, or blue/green cutover. Without central export you cannot retain, query, or alert on them — and most frameworks (SOC 2, HIPAA, PCI DSS) require centralised database log retention.

How do I fix RDS.9?

1. Pick the log types worth exporting per engine — error and slowquery for MySQL, the postgresql stream for PostgreSQL; avoid the high-volume general log in production.
2. Run modify-db-instance --cloudwatch-logs-exports-configuration to enable them, tuning verbosity in the parameter group in the same change.
3. Immediately call put-retention-policy on each new log group — the default is Never Expire, which compounds the bill forever.
4. Add the AWS Config rule rds-logging-enabled so new instances are caught automatically.

# Enable CloudWatch log export on a flagged RDS instance, then cap retention.
aws rds modify-db-instance \
  --db-instance-identifier prod-orders-pg \
  --cloudwatch-logs-exports-configuration 'EnableLogTypes=["postgresql","upgrade"]' \
  --apply-immediately

aws logs put-retention-policy \
  --log-group-name /aws/rds/instance/prod-orders-pg/postgresql \
  --retention-in-days 90

# Enable audit logging on a Redshift cluster to a policy-attached S3 bucket.
aws redshift enable-logging \
  --cluster-identifier analytics-prod \
  --bucket-name redshift-audit-logs-acct123 \
  --s3-key-prefix analytics-prod/