Company compliance requirements specify that database events such as connections, disconnections, tables queried, or types of queries issued (DML, DDL, or DCL) on an Aurora MySQL DB cluster must be retained for audit purposes.
What is the optimal solution to accomplish this?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: D.
Option A is incorrect because trace files contain information about background server processes.
Option B is incorrect because this is not the optimal solution.
It requires the implementation of a custom Lambda function.
Option C is incorrect because CloudTrail does not contain database events and audit data.
CloudTrail records log events performed on the RDS service.
Option D is CORRECT because Amazon Aurora RDS provides native capability to write audit logs to CloudWatch log groups.
This functionality can be enabled and configured using a custom parameter group.
Reference:
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Auditing.htmlThe optimal solution to retain database events such as connections, disconnections, tables queried, and types of queries issued on an Aurora MySQL DB cluster for audit purposes is option D: Create a custom DB cluster parameter group, enable and configure Advanced Auditing parameters, associate the custom parameter group with the Aurora RDS cluster, and modify the log export configuration of the RDS cluster to publish logs to CloudWatch.
Option A is not a viable solution because the exec rdsadmin.manage_tracefiles.set_tracefile_table_location
command is used to configure the destination of the trace file, not the audit log. Additionally, the tracefile_table view is used for performance troubleshooting, not auditing, and it does not contain the required audit data.
Option B is not the optimal solution because downloading the audit log file using the DownloadDBLogFilePortion
API is a manual process, and it does not provide real-time auditing. It also requires the Lambda function to have access to the AWS RDS API, which may not comply with security requirements.
Option C is not a viable solution because CloudTrail is used for API event logging and does not provide auditing of database connections, disconnections, tables queried, or types of queries issued. CloudTrail only logs API calls made to AWS RDS.
Option D is the optimal solution because it enables and configures Advanced Auditing parameters in the custom DB cluster parameter group, which provides a comprehensive auditing solution. Advanced Auditing tracks all the database events such as connections, disconnections, tables queried, and types of queries issued, and logs them to a designated log file. The log file can be exported to CloudWatch for real-time monitoring and alerting. Modifying the log export configuration of the RDS cluster to publish logs to CloudWatch makes the auditing data easily accessible and searchable.
In conclusion, the best solution to meet the compliance requirements for retaining database events such as connections, disconnections, tables queried, and types of queries issued on an Aurora MySQL DB cluster for audit purposes is option D.