Starting a database activity stream - Amazon Relational Database Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Starting a database activity stream

When you start an activity stream for the DB instance, each database activity event that you configured in the audit policy generates an activity stream event. SQL commands such as CONNECT and SELECT generate access events. SQL commands such as CREATE and INSERT generate change events.

Important

Turning on an activity stream for an Oracle DB instance clears existing audit data. It also revokes audit trail privileges. When the stream is enabled, RDS for Oracle can no longer do the following:

  • Purge unified audit trail records.

  • Add, delete, or modify the unified audit policy.

  • Update the last archived time stamp.

To start a database activity stream

  1. Open the Amazon RDS console at https://console.amazonaws.cn/rds/.

  2. In the navigation pane, choose Databases.

  3. Choose the Amazon RDS database instance on which you want to start an activity stream. In a Multi-AZ deployment, start the stream on only the primary instance. The activity stream audits both the primary and the standby instances.

  4. For Actions, choose Start activity stream.

    The Start database activity stream: name window appears, where name is your RDS instance.

  5. Enter the following settings:

    • For Amazon KMS key, choose a key from the list of Amazon KMS keys.

      Amazon RDS uses the KMS key to encrypt the key that in turn encrypts database activity. Choose a KMS key other than the default key. For more information about encryption keys and Amazon KMS, see What is Amazon Key Management Service? in the Amazon Key Management Service Developer Guide.

    • For Database activity events, choose Enable engine-native audit fields to include the engine specific audit fields.

    • Choose Immediately.

      When you choose Immediately, the RDS instance restarts right away. If you choose During the next maintenance window, the RDS instance doesn't restart right away. In this case, the database activity stream doesn't start until the next maintenance window.

  6. Choose Start database activity stream.

    The status for the the database shows that the activity stream is starting.

    Note

    If you get the error You can't start a database activity stream in this configuration, check Supported DB instance classes for database activity streams to see whether your RDS instance is using a supported instance class.

To start database activity streams for a DB instance, configure the database using the start-activity-stream Amazon CLI command.

  • --resource-arn arn – Specifies the Amazon Resource Name (ARN) of the DB instance.

  • --kms-key-id key – Specifies the KMS key identifier for encrypting messages in the database activity stream. The Amazon KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the Amazon KMS key.

  • --engine-native-audit-fields-included – Includes engine-specific auditing fields in the data stream. To exclude these fields, specify --no-engine-native-audit-fields-included (default).

The following example starts a database activity stream for a DB instance in asynchronous mode.

For Linux, macOS, or Unix:

aws rds start-activity-stream \
    --mode async \
    --kms-key-id my-kms-key-arn \
    --resource-arn my-instance-arn \
    --engine-native-audit-fields-included \
    --apply-immediately

For Windows:

aws rds start-activity-stream ^
    --mode async ^
    --kms-key-id my-kms-key-arn ^
    --resource-arn my-instance-arn ^
    --engine-native-audit-fields-included ^
    --apply-immediately

To start database activity streams for a DB instance, configure the instance using the StartActivityStream operation.

Call the action with the parameters below:

  • Region

  • KmsKeyId

  • ResourceArn

  • Mode

  • EngineNativeAuditFieldsIncluded