AWS RDS Audit Visibility
This guide walks through enabling audit logging on AWS RDS for every supported engine and routing those logs to CloudWatch, where Monad can ingest them via the AWS CloudWatch Logs input.
Sync Type: Incremental
How RDS Delivers Audit Logs
AWS RDS exposes audit logs through two delivery paths:
| Path | Description |
|---|---|
| RDS Log Files API | Audit log files written directly to the instance, downloadable via DescribeDBLogFiles / DownloadDBLogFilePortion |
| CloudWatch Logs | Audit log entries streamed to a CloudWatch log group, queryable via standard CloudWatch APIs |
This guide focuses on the CloudWatch path, which is the recommended approach for centralized, real-time audit log visibility. Once audit logs are flowing into CloudWatch, use the AWS CloudWatch Logs input in Monad to ingest them.
Engine support: MySQL, MariaDB, and Oracle support exporting the
auditlog type to CloudWatch. PostgreSQL, SQL Server, and Db2 do not have a dedicated CloudWatch audit export — notes for those engines are included below.
Step 1 — Enable Auditing Per Engine
Auditing must be enabled at the database engine level before any logs are generated. Follow the section for your engine.
MySQL
MySQL on RDS uses the MariaDB Audit Plugin (MARIADB_AUDIT_PLUGIN) delivered via an RDS Option Group.
1. Create an Option Group:
- Open the Amazon RDS Console
- In the left navigation pane, choose Option groups
- Choose Create group
- Fill in the following:
- Name:
my-mysql-audit - Description:
MySQL audit logging - Engine:
mysql - Major engine version: Select the version that matches your instance (e.g.
8.0)
- Name:
- Choose Create
2. Add the audit plugin to the option group:
- In the Option groups list, select the group you just created
- Choose Add option
- Under Option name, select MARIADB_AUDIT_PLUGIN
- Under Option settings, configure:
SERVER_AUDIT_EVENTS:CONNECT,QUERY_DDL,QUERY_DMLSERVER_AUDIT_EXCL_USERS:rdsadmin
- Under Scheduling, select Immediately
- Choose Add option
Recommended SERVER_AUDIT_EVENTS values:
| Value | What it captures |
|---|---|
CONNECT | Connection and disconnection events |
QUERY | All SQL statements (high volume) |
QUERY_DDL | CREATE, ALTER, DROP only |
QUERY_DML | INSERT, UPDATE, DELETE only |
TABLE | Table-level access |
3. Attach the option group to your instance:
- In the left navigation pane, choose Databases
- Select your MySQL instance
- Choose Modify
- Scroll to Additional configuration
- Under Option group, select the option group you created (
my-mysql-audit) - Choose Continue
- Under Scheduling of modifications, select Apply immediately
- Choose Modify DB instance
MariaDB
MariaDB uses the same MARIADB_AUDIT_PLUGIN option group mechanism as MySQL.
Follow all three MySQL steps above with one difference in step 1: under Engine, select mariadb and choose the major engine version that matches your MariaDB instance.
PostgreSQL
PostgreSQL uses the pgaudit extension for structured audit logging. pgaudit events are written into the standard PostgreSQL log (error/postgresql.log.*).
CloudWatch limitation: PostgreSQL does not support a dedicated
auditlog export to CloudWatch. AWS only supports thepostgresqlandupgradelog types for CloudWatch export on PostgreSQL. If you require CloudWatch-based audit visibility for PostgreSQL, configure the AWS CloudWatch Logs input on the/aws/rds/instance/{instance}/postgresqllog group — pgaudit entries will be present there alongside other PostgreSQL log output.
1. Create a parameter group:
- In the left navigation pane, choose Parameter groups
- Choose Create parameter group
- Fill in:
- Parameter group family: Select the family matching your PostgreSQL version (e.g.
postgres15) - Type:
DB Parameter Group - Group name:
my-postgres-audit - Description:
PostgreSQL pgaudit logging
- Parameter group family: Select the family matching your PostgreSQL version (e.g.
- Choose Create
2. Edit the parameter group to load pgaudit:
- In the Parameter groups list, select
my-postgres-audit - Choose Edit
- Search for
shared_preload_librariesand set the value topgaudit - Search for
pgaudit.logand set the value toddl,role,connection - Choose Save changes
Recommended pgaudit.log values:
| Value | What it captures |
|---|---|
ddl | CREATE, ALTER, DROP and schema changes |
role | GRANT, REVOKE, role membership changes |
connection | Login and logout events |
read | SELECT and COPY from tables or sequences |
write | INSERT, UPDATE, DELETE, TRUNCATE |
all | Everything (high volume) |
3. Associate the parameter group with your instance:
- In the left navigation pane, choose Databases
- Select your PostgreSQL instance
- Choose Modify
- Scroll to Additional configuration
- Under DB parameter group, select
my-postgres-audit - Choose Continue
- Under Scheduling of modifications, select Apply immediately
- Choose Modify DB instance
4. Reboot the instance to apply shared_preload_libraries:
- In the Databases list, select your instance
- Choose Actions → Reboot
- Choose Confirm
5. Install the extension in each target database:
Connect to your database and run:
Code
Oracle
Oracle RDS uses the native Oracle Audit Trail, enabled via a DB parameter group.
1. Create or open the parameter group for your instance:
- In the left navigation pane, choose Parameter groups
- Either select the existing parameter group attached to your instance, or choose Create parameter group to create a new one with the Oracle family matching your version (e.g.
oracle-ee-19) - Choose Edit
2. Set the audit_trail parameter:
- Search for
audit_trail - Set the value to
OS - Choose Save changes
Supported audit_trail values:
| Value | Behavior |
|---|---|
OS | Writes to OS files — required for CloudWatch export |
DB | Writes to SYS.AUD$ — not exported to CloudWatch |
XML | Writes to XML files |
XML,EXTENDED | XML files with SQL text and bind variables |
none | Auditing disabled (default) |
3. If you created a new parameter group, attach it to your instance:
- In the left navigation pane, choose Databases
- Select your Oracle instance
- Choose Modify
- Scroll to Additional configuration
- Under DB parameter group, select the parameter group
- Choose Continue → Apply immediately → Modify DB instance
4. Reboot the instance to apply the parameter change:
- In the Databases list, select your instance
- Choose Actions → Reboot
- Choose Confirm
Oracle audit files on RDS have a 7-day default retention. Routing to CloudWatch is strongly recommended to avoid log loss.
SQL Server — not supported
SQL Server audit visibility through Monad is not supported on RDS. SQL Server on RDS can export only error and agent logs to CloudWatch — SQL Server Audit files (.sqlaudit) cannot be exported. Because there is no way to get the audit trail into CloudWatch (or otherwise expose it to Monad), enabling a Server Audit on the instance would not result in any audit logs reaching Monad.
Db2 — not supported
Db2 audit visibility through Monad is not supported on RDS. Db2 on RDS can export only diag.log and notify.log to CloudWatch — the db2audit trail cannot be exported. Because there is no way to get the audit trail into CloudWatch (or otherwise expose it to Monad), enabling Db2 auditing on the instance would not result in any audit logs reaching Monad.
Step 2 — Route Audit Logs to CloudWatch
This step applies to MySQL, MariaDB, and Oracle. After completing it, audit log entries will stream into CloudWatch and can be ingested by Monad.
- In the left navigation pane, choose Databases
- Select your instance
- Choose Modify
- Scroll to Additional configuration
- Under Log exports, check the Audit log checkbox
- For Oracle, also check Alert log and Listener log as needed
- Choose Continue
- Under Scheduling of modifications, select Apply immediately
- Choose Modify DB instance
AWS automatically creates the following CloudWatch log groups once the export is enabled:
| Engine | CloudWatch Log Group |
|---|---|
| MySQL | /aws/rds/instance/{instance-identifier}/audit |
| MariaDB | /aws/rds/instance/{instance-identifier}/audit |
| Oracle | /aws/rds/instance/{instance-identifier}/audit |
Step 3 — Grant IAM Permissions
The IAM role or user used by Monad needs permission to read from the CloudWatch log group.
1. Create an IAM policy:
- Open the IAM Console
- In the left navigation pane, choose Policies
- Choose Create policy
- Select the JSON tab and paste the following, replacing
<region>,<account-id>, and<instance-identifier>with your values:
Code
- Choose Next, enter a name (e.g.
MonadRDSAuditPolicy), and choose Create policy
2. Create an IAM role for Monad (Role ARN authentication):
- In the left navigation pane, choose Roles
- Choose Create role
- Under Trusted entity type, choose AWS account
- Enter Monad's AWS account ID and choose Next
- Search for and attach
MonadRDSAuditPolicy - Choose Next, enter a role name (e.g.
MonadRDSAuditRole), and choose Create role - Open the newly created role and copy its ARN — you will paste this into the Monad connector as Role ARN
See AWS Authentication Methods for details on configuring the trust relationship.
Alternative — static credentials:
- In the left navigation pane, choose Users
- Select the IAM user (or create a new one with programmatic access)
- Choose Add permissions → Attach policies directly
- Search for and attach
MonadRDSAuditPolicy - In the user's Security credentials tab, choose Create access key and save the Access Key ID and Secret Access Key
Step 4 — Connect Monad
Once audit logs are flowing into CloudWatch, configure the AWS CloudWatch Logs input in Monad with:
- Region: the AWS region where your RDS instance is deployed
- Role ARN (or Access Key / Secret Key): the credentials created in Step 3
- Log Group Name Prefix: the log group name which was automatically created by RDS
Related Articles
- MySQL audit plugin on RDS
- MariaDB audit plugin on RDS
- pgaudit on RDS for PostgreSQL
- Oracle audit trail on RDS
- SQL Server audit on RDS
- Db2 log access on RDS
- Publishing MySQL/MariaDB logs to CloudWatch
- Publishing Oracle logs to CloudWatch