Compliance

Enable database audit and log exports

One capability across RDS, Aurora, Redshift and OpenSearch: make every managed data store ship its audit and engine logs off the instance to CloudWatch or S3, so you keep a durable record of who connected and what ran.

14 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: Opensearch.4 Opensearch.5 RDS.9 RDS.45 Redshift.4

Database logging: the basics

What does "logging enabled" actually mean across managed data stores?

Every managed AWS data store writes logs, but by default most of them keep those logs on the instance where they are useless to you: they rotate away, they die when the instance is replaced, and they cannot be queried, retained, or alerted on. This capability is about pushing those logs off the instance to a durable destination. Amazon RDS exports its engine logs (PostgreSQL's postgresql.log, MySQL's error and slow logs, Oracle's alert log, SQL Server's error log) to CloudWatch Logs. Aurora MySQL ships its built-in Advanced Auditing stream. Amazon Redshift publishes connection, user, and user-activity logs to S3 or CloudWatch. Amazon OpenSearch Service publishes error and audit logs to CloudWatch.

AWS Security Hub turns each of these into its own control, which is why a single estate can fail several database-logging checks at once. RDS.9 fails any RDS instance whose EnabledCloudwatchLogsExports is empty; RDS.45 fails any Aurora MySQL cluster not shipping the audit log; Redshift.4 fails any Redshift cluster without audit logging; Opensearch.4 fails domains not publishing error logs and Opensearch.5 fails domains not publishing audit logs. They look like separate problems on the report, but they are one capability: make sure each data store keeps a durable, off-instance record of what happened to it.

The good news is that the database side of this is almost always free or near-free. Enabling an audit plugin or a log export adds negligible overhead to the engine itself; the only real cost is downstream storage in CloudWatch Logs or S3, which is a few dollars a month for most stores and is controllable with a retention policy and event-type filtering. The job is to find every data store that is not shipping logs, decide which log types each one actually needs, turn the exports on, and cap retention so the bill stays proportionate.

In this lesson you will learn how RDS, Aurora, Redshift and OpenSearch each express logging, how to find every data store that is not shipping its logs off the instance, and how to turn the exports on without breaking anything or blowing up the CloudWatch bill. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The logs that died with the instance

RDS engine logs live on the instance's local disk by default and rotate away on a size or time schedule. A 2022 post-mortem from a fintech team describes a SEV1 where a payments worker was corrupting rows; by the time they went to pull the database log to confirm the cause, the read replica had been recycled overnight by unrelated automation and every relevant log line was gone. No export to CloudWatch had been configured. They spent four more days reconstructing the timeline from application logs. The first time you need a database log is always after it no longer exists, which is exactly why shipping it off the instance is the whole point of this capability.

Finding data stores that ship no logs

Marco is on the platform team at a healthcare-adjacent SaaS company preparing for a SOC 2 review. Security Hub shows database-logging failures spread across an RDS PostgreSQL instance, an Aurora MySQL cluster, a Redshift warehouse and two OpenSearch domains, most of them stood up before the team standardised its provisioning module.

Rather than work the findings one by one, he starts with the highest-value store first and confirms what each is actually exporting today, so the changes are deliberate rather than blind toggles.

Start with the RDS instances that ship nothing off the box. An empty EnabledCloudwatchLogsExports array is the RDS.9 failure.

$ aws rds describe-db-instances --query 'DBInstances[?length(EnabledCloudwatchLogsExports || `[]`) == `0`].[DBInstanceIdentifier,Engine]' --output table

-------------------------------------------

| prod-orders-pg | postgres |

| billing-mysql | mysql |

-------------------------------------------

# Two databases keeping every engine log local-only. Both will die with the instance.

Stores holding sensitive data come first. Fix the ones whose access you would most need to reconstruct.

How each data store ships its logsdeep dive

Each service exposes logging differently, but they resolve to two mechanisms. The first is a CloudWatch Logs export: RDS runs a sidecar that tails the engine's log files and pushes lines to a log group named /aws/rds/instance//; Aurora MySQL ships its audit stream to /aws/rds/cluster//audit once audit is in EnabledCloudwatchLogsExports; OpenSearch publishes ES_APPLICATION_LOGS (error) and AUDIT_LOGS to CloudWatch log groups. The second is an S3 destination: Redshift's log-delivery service writes gzipped connection, user, and user-activity files under a prefix, and can also target CloudWatch. Security Hub passes the relevant control as long as the right log type is being shipped, not which sink you chose.

Two prerequisites trip people up. OpenSearch audit logs require fine-grained access control to be enabled first, because the security plugin that emits them is only active when advanced security options are on; without it the enable call is rejected. And both OpenSearch and Redshift's S3 destination need the service principal granted permission to write to the destination (a CloudWatch Logs resource policy for es.amazonaws.com, or the Redshift log-delivery bucket policy on the S3 bucket). Skip the permission and the enable call can succeed while no logs ever arrive, which is a silent failure worth verifying.

Security Hub evaluates these through AWS Config, typically on a change-triggered or periodic cycle, so a fix does not flip the finding to PASSED instantly. The control plane change itself is non-disruptive on modern engines (no reboot, no query interruption for RDS log exports; a brief Processing state for OpenSearch; no restart for Redshift), but the report catches up on the next evaluation. The detail teams most often miss is that the audit stream you want may need a separate parameter: Redshift query text needs enable_user_activity_logging = true, and Aurora MySQL audit content is governed by server_audit_events.

What is the impact of running data stores without logging?

The direct impact is investigative blindness. These stores frequently hold the most sensitive, most aggregated data an organisation has, and without their audit and engine logs there is no independent record of who connected, from where, or what they ran. If a credential is compromised or data is exfiltrated, the questions an incident responder must answer (scope, timeline, blast radius) have no source data behind them, and the honest answer becomes worst-case.

The second-order impact is operational. Engine error and slow logs are also how you diagnose a degraded database or a struggling search domain. With logs off the instance and in CloudWatch, you can query them, correlate them, and alarm on patterns; with logging off, the on-call engineer responding at 2am opens CloudWatch and finds nothing, and a fifteen-minute incident stretches into an hour of guesswork.

On the compliance side, every modern framework (SOC 2, ISO 27001, HIPAA, PCI DSS) expects access to sensitive data stores to be logged and retained for a defined period. PCI DSS requirement 10.2.1 and the NIST 800-53 audit-and-accountability family (AU-2, AU-3, AU-12) are explicit about this. A passing set of database-logging controls is among the cheapest and most defensible artefacts you can hand an auditor; a failing one is a concrete, citable gap with a remediation deadline.

How do you enable database logging safely?

Work the capability as one loop rather than chasing individual findings. The order matters: confirm what each store needs before you flip switches, and set retention before logs start piling up.

1. Inventory every data store and what it ships today

Across RDS, Aurora, Redshift and OpenSearch, list each store and check its current log configuration: EnabledCloudwatchLogsExports for RDS and Aurora, LoggingProperties for Redshift, and LogPublishingOptions for OpenSearch. Treat this inventory as the source of truth, not the Security Hub finding count, and rank it by data sensitivity so the most valuable stores are remediated first.

2. Pick log types deliberately, not by default

Enable what the auditor and your on-call actually need, not everything. For RDS, error and slow logs are almost always worth it; for Aurora MySQL, CONNECT plus QUERY_DDL plus QUERY_DCL is the standard compliance filter at a fraction of full-query volume; for Redshift, connection and user logs are on with logging and query text needs the extra parameter; for OpenSearch, error logs satisfy Opensearch.4 and audit logs satisfy Opensearch.5 (which needs fine-grained access control first). Avoid bare full-query logging unless security or legal specifically ask for it.

3. Prepare the destination and grant the permission

Enabling the export is one API call per store, and it is non-disruptive on modern engines. The work is in the destination: a CloudWatch Logs resource policy granting the service principal write access (OpenSearch), the Redshift log-delivery bucket policy on the target S3 bucket, and the fine-grained-access-control prerequisite for OpenSearch audit logs. Skip the permission and the enable call can succeed while no logs arrive, so verify that events are actually landing.

4. Cap retention and prevent recurrence

Set a retention policy on every CloudWatch log group and an S3 lifecycle on every log bucket; the CloudWatch default is never-expire, which is the worst possible setting. Match the window to the strictest compliance obligation in scope (90 days, a year, or six for HIPAA, with aged logs tiered to Glacier). Then bake logging and retention into the provisioning template and back it with AWS Config rules (rds-logging-enabled, redshift-cluster-audit-logging-enabled, opensearch-audit-logging-enabled) so new stores arrive compliant by default.

# Enable CloudWatch log export on a flagged RDS instance, then cap retention.
aws rds modify-db-instance \
  --db-instance-identifier prod-orders-pg \
  --cloudwatch-logs-exports-configuration 'EnableLogTypes=["postgresql","upgrade"]' \
  --apply-immediately

aws logs put-retention-policy \
  --log-group-name /aws/rds/instance/prod-orders-pg/postgresql \
  --retention-in-days 90

# Enable audit logging on a Redshift cluster to a policy-attached S3 bucket.
aws redshift enable-logging \
  --cluster-identifier analytics-prod \
  --bucket-name redshift-audit-logs-acct123 \
  --s3-key-prefix analytics-prod/

Quick quiz

Question 1 of 5

Security Hub shows database-logging failures across RDS.9, RDS.45, Redshift.4 and Opensearch.5. What is the most efficient way to think about them?

Keep learning

Go deeper on how logging works across the data stores in this capability.

You can now treat database logging as one capability rather than a scatter of findings: inventory what each data store ships today, pick the log types the auditor and your on-call actually need, enable the exports with the right permissions in place, and cap retention so the storage cost stays bounded. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Database logging: the cost and risk view

A near-free control on the database that buys audit evidence and bounded breach scope

Database logging across AWS is one of the better-value controls in the estate. Turning on an audit log or a CloudWatch export costs nothing on the database itself; the only spend is the downstream storage, which for most stores is a few dollars to low tens of dollars a month and is fully controllable through retention policies and log-type selection. There is no compute penalty and no license. So unlike most findings, this is rarely a real cost trade-off; it is close to a free safety improvement on your most sensitive systems.

Frame each failing control as a line on the risk register rather than a compliance checkbox. A production Redshift warehouse or an Aurora cluster holding customer records carries a far higher expected loss if its access cannot be reconstructed than a quiet dev database, yet both show up as a single red finding. Map the failures to the data behind them and prioritise by sensitivity, not by control count.

The one cost lever worth watching is verbosity. A full query log on a busy OLTP cluster can generate hundreds of GB per day, while a sensibly filtered audit stream (connections plus schema and permission changes) is typically one to two per cent of that volume and still satisfies the auditor. The right finance posture is to fund the logging as infrastructure, require a retention policy on every log group, and approve a specific event filter rather than a blank cheque.

This lesson is for the finance partner who sees a cluster of database-logging findings on the security report and wants to know what the right response is and what it costs. It covers why the database side is free, where the storage cost actually sits, how verbosity and retention are the only real cost levers, and how to turn a list of red findings into a risk-ordered remediation plan.

Fun fact

The logs that died with the instance

How a finance partner frames the database-logging findings

Marco brings the database-logging findings to his finance partner ahead of a SOC 2 review, because the report shows a scatter of red across an RDS PostgreSQL instance, an Aurora MySQL cluster, a Redshift warehouse and two OpenSearch domains, most stood up before the team standardised provisioning. The partner's starting point is one of the better-value reads on the board: turning on an audit log or a CloudWatch export costs nothing on the database itself, no compute penalty and no licence, so the only spend is downstream storage, typically a few dollars to low tens of dollars a month per store and fully controllable through retention and log-type selection. Unlike most findings, this is rarely a real cost trade-off; it is close to a free safety improvement on the most sensitive systems the business owns.

The partner then reframes the list by the data behind each store rather than by control count. A production Redshift warehouse or an Aurora cluster holding customer records carries a far higher expected loss if its access cannot be reconstructed than a quiet dev database, yet both show up as a single red finding. The one cost lever to watch is verbosity: a full query log on a busy OLTP cluster can generate hundreds of GB per day, while a sensibly filtered audit stream, connections plus schema and permission changes, is typically one to two per cent of that volume and still satisfies the auditor. So the finance posture the partner lands on is to fund the logging as infrastructure, require a retention policy on every log group as a hard prerequisite, and approve a specific event filter rather than a blank cheque, then prioritise the work by data sensitivity and treat the age of any open logging finding on a regulated store as the metric to escalate on.

Why database logging belongs on the risk register

The cost model here is asymmetric in a way that is rare for security work. The database side of enabling logging costs nothing, and the storage is small and controllable; leaving it off creates an unbounded tail risk on the most sensitive systems the business owns. Each failing control is a store where a future incident could not be investigated, and while the probability per event is low, the cost when it lands (forensics, breach notification, regulatory penalties) is large and unpredictable.

The one place the cost can run away is verbosity. A full query log on a busy cluster, or an unbounded CloudWatch log group with no retention policy, can turn a few-dollar control into a few-hundred-dollar one. The finance contribution is to approve a specific, compliant event filter rather than blanket logging, and to make a retention policy a hard prerequisite on every log group, not an afterthought.

The finance role is to attach expected loss to each failing store so the work is prioritised by risk, and to treat the age of an open logging finding as the metric. A control this cheap to satisfy should never sit open for weeks on a store holding regulated data; a rising age is the signal to escalate.

What finance can do about the database-logging gap

Finance cannot enable a log export, but it can frame database logging as cheap, governed audit evidence and stop the fix becoming an unbounded storage bill. Three levers.

1. Fund logging as infrastructure, because the database side is free

Enabling an audit log or a CloudWatch export costs nothing on the database itself, no compute penalty and no licence; the only spend is downstream storage, a few dollars to low tens of dollars a month per store. Treat it as a planned line that buys the ability to reconstruct access on the most sensitive systems, not a cost to cut. Because the database side is free, there is no budget argument for leaving a regulated store unlogged, so fund the work on sight and ask why a near-free control is still open.

2. Approve a specific event filter and require retention, not a blank cheque

Verbosity is the one place the cost runs away: a full query log on a busy OLTP cluster can generate hundreds of GB per day, while a filtered audit stream, connections plus schema and permission changes, is typically one to two per cent of that and still satisfies the auditor. The finance condition is to approve a specific, compliant event filter rather than blanket logging, and to make a retention policy on every CloudWatch log group and an S3 lifecycle on every bucket a hard prerequisite, since the CloudWatch default is never-expire.

3. Risk-weight by data sensitivity and treat finding age as the metric

A single red finding flattens a Redshift warehouse holding customer records and a quiet dev database into the same line. Attach an expected loss to each failing store based on the data behind it and prioritise by that, not by control count, because these map to PCI DSS requirement 10 and the NIST 800-53 audit-and-accountability family. A control this cheap to satisfy should never sit open for weeks on a store holding regulated data, so a rising age on an open logging finding is the signal to escalate.

Quick quiz

Question 1 of 5

What is the cost of enabling logging on the database side across this capability?

Keep learning

Go deeper on how logging works across the data stores in this capability.

You have finished the finance view of database logging. You know the database side is free with no compute penalty or licence, that the only spend is downstream storage controllable by retention and log-type selection, and that the one real cost trap is verbosity, a full query log on a busy cluster, against a filtered audit stream that is one to two per cent of the volume. Next time the cluster appears, you will fund it as infrastructure, approve a specific event filter with retention as a hard prerequisite, risk-weight by data sensitivity against PCI DSS requirement 10 and the NIST audit family, and treat a rising age on an open finding as the signal to escalate.

Back to the library

Database logging: the headline

Whether the business can say who accessed its most sensitive data

Managed databases are where the most sensitive consolidated data usually lives: customer records, financial reporting, search indexes over everything else. Database logging is the record of who connected to those stores and what they ran. The report shows this as a scatter of separate findings across RDS, Aurora, Redshift and OpenSearch, but the question underneath is one: if a credential is misused or data leaves, can we reconstruct what happened?

The leadership question is not "are we compliant today?" It is "if there is ever an incident on one of these stores, do the logs exist to investigate it?" The defensible end state is that every data-bearing store ships its audit and engine logs off the instance by default, with retention matched to the strictest compliance obligation in scope, not switched on after a scanner complains.

This is rarely a cost decision. The database side is free and the storage is small. It is a governance decision about whether audit evidence is produced by design or only when someone remembers to tick the box on a new cluster.

A short read for the leader who needs to know what database logging proves, why enabling it is a governance decision rather than a budget one, and what a defensible end state looks like across the estate's data stores.

Fun fact

The logs that died with the instance

What it looks like when audit evidence is produced by design

The database-logging findings reached the executive review after a near-miss the team still talks about: a payments worker was corrupting rows, and by the time anyone went to pull the database log to confirm the cause, the read replica had been recycled overnight by unrelated automation and every relevant line was gone, no export to CloudWatch had ever been configured, so a fifteen-minute confirmation became four days of reconstructing the timeline from application logs. The lesson leadership drew was not about that one database. It was that the company runs managed data stores, across RDS, Aurora, Redshift and OpenSearch, that hold its most sensitive consolidated data and cannot say who connected or what they ran, and that every framework the business reports against expects access to those stores to be logged and retained.

So the executive framing settled on a defensible end state: every data-bearing store ships its audit and engine logs off the instance by default, with retention matched to the strictest compliance obligation in scope, produced by design rather than switched on after a scanner complains. The point leadership keeps returning to is that this is the rare class of control where the risk of inaction is severe, no answer to what the attacker touched after an incident, while the cost of action is engineering time plus a small storage bill. The question is not are we compliant today, it is, if there is ever an incident on one of these stores, do the logs exist to investigate it, and is that a provisioning default so it stops recurring.

Why this is a board-level risk

Nearly every major data-access incident reduces to the same question afterward: what did the attacker actually touch? On a data store with no audit log, that question has no answer, and the organisation is forced into the most expensive possible response. Database logging is the control that makes a narrow, defensible answer possible on the systems where it matters most.

The cost of getting this wrong is large and well documented, while the cost of fixing it is essentially engineering time plus a small storage bill. This is the rare class of control where the risk of inaction is severe and the cost of action is small, which is exactly the trade leadership should be quickest to approve, and quickest to make a provisioning default so it stops recurring.

The leadership move on database logging

The executive handle is not to approve each log export, it is to require that every data-bearing store produces audit evidence by design, with retention and cost guardrails so the fix never becomes its own problem. Three moves.

1. Require audit logging by default on every data-bearing store

The real question is whether logging is a property of the provisioning template every new RDS, Aurora, Redshift and OpenSearch store is created from, not whether today's finding count is zero. Bake logging and retention into the standard IaC and back it with the matching AWS Config rules (rds-logging-enabled, redshift-cluster-audit-logging-enabled, opensearch-audit-logging-enabled) so a new store arrives compliant by default and the family stops being a recurring finding cleared by hand.

2. Insist the fix ships with retention and cost guardrails

Do not let turn it all on become the instruction. The correct one is turn it on, pick the log types the auditor and on-call actually need, set a retention policy on every log group and an S3 lifecycle on every bucket, matched to the strictest compliance obligation in scope. The most verbose level on a busy cluster generates real storage cost and can capture sensitive content, so done this way the controls clear, the bill stays bounded, and logging does not become the next problem on the report.

3. Approve the trade quickly: severe downside, small cost

This is the rare class of control where the risk of inaction is severe, no answer to what an attacker touched on the store holding your most aggregated data, while the cost of action is engineering time plus a small storage bill. The leadership move is to approve it fast and make it a provisioning default, then ask one standing question at review: if there is ever an incident on one of these stores, do the logs exist to investigate it, on the stores where it matters most.

Quick quiz

Question 1 of 5

At the leadership level, what does a data store with no audit log actually cost the business after an incident?

Keep learning

Go deeper on how logging works across the data stores in this capability.

Two takeaways: a data store with no audit log forces the most expensive possible response after an incident because the question what did the attacker touch has no answer, and because the database side is free while the downside is severe, this is the trade to approve quickest. The leadership outcome is audit logging built into how new data stores ship, with retention matched to the strictest obligation in scope, so the findings go to zero and stay there. The number to watch is not today's count, it is whether logging is a provisioning default that no new store can skip.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

Enable database audit and log exports

Database logging: the basics

The logs that died with the instance

Finding data stores that ship no logs

How each data store ships its logsdeep dive

What is the impact of running data stores without logging?

How do you enable database logging safely?

1. Inventory every data store and what it ships today

2. Pick log types deliberately, not by default

3. Prepare the destination and grant the permission

4. Cap retention and prevent recurrence

Quick quiz

Keep learning

Database logging: the cost and risk view

The logs that died with the instance

How a finance partner frames the database-logging findings

Why database logging belongs on the risk register

What finance can do about the database-logging gap

1. Fund logging as infrastructure, because the database side is free

2. Approve a specific event filter and require retention, not a blank cheque

3. Risk-weight by data sensitivity and treat finding age as the metric

Quick quiz

Keep learning

Database logging: the headline

The logs that died with the instance

What it looks like when audit evidence is produced by design

Why this is a board-level risk

The leadership move on database logging

1. Require audit logging by default on every data-bearing store

2. Insist the fix ships with retention and cost guardrails

3. Approve the trade quickly: severe downside, small cost

Quick quiz

Keep learning

Controls this lesson covers

Opensearch

RDS

Redshift

Related compliance lessons