SQL Server Audit
In Amazon RDS, you can audit Microsoft SQL Server databases by using the built-in SQL Server auditing mechanism. You can create audits and audit specifications in the same way that you create them for on-premises database servers.
RDS uploads the completed audit logs to your S3 bucket, using the IAM role that you provide. If you enable retention, RDS keeps your audit logs on your DB instance for the configured period of time.
For more information, see SQL Server Audit (database engine)
SQL Server Audit with Database Activity Streams
You can use Database Activity Streams for RDS to integrate SQL Server Audit events with database activity monitoring tools from Imperva, McAfee, and IBM. For more information about auditing with Database Activity Streams for RDS SQL Server, see Auditing in Microsoft SQL Server
Topics
Support for SQL Server Audit
In Amazon RDS, starting with SQL Server 2014, all editions of SQL Server support server-level
audits, and the Enterprise edition also supports database-level audits. Starting
with SQL Server 2016 (13.x) SP1, all editions support both server-level and
database-level audits. For more information, see SQL Server Audit (database engine)
RDS supports configuring the following option settings for SQL Server Audit.
| Option setting | Valid values | Description |
|---|---|---|
IAM_ROLE_ARN |
A valid Amazon Resource Name (ARN) in the format
arn:aws-cn:iam::. |
The ARN of the IAM role that grants access to the S3 bucket where you want to store your audit logs. For more information, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference. |
S3_BUCKET_ARN |
A valid ARN in the format arn:aws-cn:s3:::bucket-name or
arn:aws-cn:s3:::bucket-name/key-prefix |
The ARN for the S3 bucket where you want to store your audit logs. |
ENABLE_COMPRESSION |
true or false |
Controls audit log compression. By default, compression is enabled (set
to true). |
RETENTION_TIME |
0 to 840 |
The retention time (in hours) that SQL Server audit records are kept on your RDS instance. By default, retention is disabled. |
RDS supports SQL Server Audit in all Amazon Regions except Middle East (Bahrain).
Adding SQL Server Audit to the DB instance options
Enabling SQL Server Audit requires two steps: enabling the option on the DB instance, and enabling the feature inside SQL Server. The process for adding the SQL Server Audit option to a DB instance is as follows:
-
Create a new option group, or copy or modify an existing option group.
-
Add and configure all required options.
-
Associate the option group with the DB instance.
After you add the SQL Server Audit option, you don't need to restart your DB instance. As soon as the option group is active, you can create audits and store audit logs in your S3 bucket.
To add and configure SQL Server Audit on a DB instance's option group
-
Choose one of the following:
-
Use an existing option group.
-
Create a custom DB option group and use that option group. For more information, see Creating an option group.
-
-
Add the SQLSERVER_AUDIT option to the option group, and configure the option settings. For more information about adding options, see Adding an option to an option group.
-
For IAM role, if you already have an IAM role with the required policies, you can choose that role. To create a new IAM role, choose Create a New Role. For information about the required policies, see Manually creating an IAM role for SQL Server Audit.
-
For Select S3 destination, if you already have an S3 bucket that you want to use, choose it. To create an S3 bucket, choose Create a New S3 Bucket.
-
For Enable Compression, leave this option chosen to compress audit files. Compression is enabled by default. To disable compression, clear Enable Compression.
-
For Audit log retention, to keep audit records on the DB instance, choose this option. Specify a retention time in hours. The maximum retention time is 35 days.
-
-
Apply the option group to a new or existing DB instance. Choose one of the following:
-
If you are creating a new DB instance, apply the option group when you launch the instance.
-
On an existing DB instance, apply the option group by modifying the instance and then attaching the new option group. For more information, see Modifying an Amazon RDS DB instance.
-
Modifying the SQL Server Audit option
After you enable the SQL Server Audit option, you can modify the settings. For information about how to modify option settings, see Modifying an option setting.
Removing SQL Server Audit from the DB instance options
You can turn off the SQL Server Audit feature by disabling audits and then deleting the option.
To remove auditing
-
Disable all of the audit settings inside SQL Server. To learn where audits are running, query the SQL Server security catalog views. For more information, see Security catalog views
in the Microsoft SQL Server documentation. -
Delete the SQL Server Audit option from the DB instance. Choose one of the following:
-
Delete the SQL Server Audit option from the option group that the DB instance uses. This change affects all DB instances that use the same option group. For more information, see Removing an option from an option group.
-
Modify the DB instance, and then choose an option group without the SQL Server Audit option. This change affects only the DB instance that you modify. You can specify the default (empty) option group, or a different custom option group. For more information, see Modifying an Amazon RDS DB instance.
-
-
After you delete the SQL Server Audit option from the DB instance, you don't need to restart the instance. Remove unneeded audit files from your S3 bucket.
Using SQL Server Audit
You can control server audits, server audit specifications, and database audit specifications the same way that you control them for on-premises database servers.
Creating audits
You create server audits in the same way that you create them for on-premises database
servers. For information about how to create server audits, see CREATE SERVER AUDIT
To avoid errors, adhere to the following limitations:
-
Don't exceed the maximum number of supported server audits per instance of 50.
-
Instruct SQL Server to write data to a binary file.
-
Don't use
RDS_as a prefix in the server audit name. -
For
FILEPATH, specifyD:\rdsdbdata\SQLAudit. -
For
MAXSIZE, specify a size between 2 MB and 50 MB. -
Don't configure
MAX_ROLLOVER_FILESorMAX_FILES. -
Don't configure SQL Server to shut down the DB instance if it fails to write the audit record.
Creating audit specifications
You create server audit specifications and database audit specifications the same way that
you create them for on-premises database servers. For information about creating
audit specifications, see CREATE SERVER AUDIT SPECIFICATION
To avoid errors, don't use RDS_ as a prefix in the name of the database
audit specification or server audit specification.
Viewing audit logs
Your audit logs are stored in D:\rdsdbdata\SQLAudit.
After SQL Server finishes writing to an audit log file—when the file reaches its
size limit—Amazon RDS uploads the file to your S3 bucket. If retention is enabled,
Amazon RDS moves the file into the retention folder:
D:\rdsdbdata\SQLAudit\transmitted.
For information about configuring retention, see Adding SQL Server Audit to the DB instance options.
Audit records are kept on the DB instance until the audit log file is uploaded. You can view the audit records by running the following command.
SELECT * FROM msdb.dbo.rds_fn_get_audit_file ('D:\rdsdbdata\SQLAudit\*.sqlaudit' , default , default )
You
can use the same command to view audit records in your retention folder by changing the filter
to
D:\rdsdbdata\SQLAudit\transmitted\*.sqlaudit.
SELECT * FROM msdb.dbo.rds_fn_get_audit_file ('D:\rdsdbdata\SQLAudit\transmitted\*.sqlaudit' , default , default )
Using SQL Server Audit with Multi-AZ instances
For Multi-AZ instances, the process for sending audit log files to Amazon S3 is similar to the process for Single-AZ instances. However, there are some important differences:
-
Database audit specification objects are replicated to all nodes.
-
Server audits and server audit specifications aren't replicated to secondary nodes. Instead, you have to create or modify them manually.
To capture server audits or a server audit specification from both nodes:
-
Create a server audit or a server audit specification on the primary node.
-
Fail over to the secondary node and create a server audit or a server audit specification with the same name and GUID on the secondary node. Use the
AUDIT_GUIDparameter to specify the GUID.
Configuring an S3 bucket
The audit log files are automatically uploaded from the DB instance to your S3 bucket. The following restrictions apply to the S3 bucket that you use as a target for audit files:
-
It must be in the same Amazon Region as the DB instance.
-
It must not be open to the public.
-
It can't use S3 Object Lock.
-
The bucket owner must also be the IAM role owner.
The target key that is used to store the data follows this naming schema:
bucket-name/key-prefix/instance-name/audit-name/node_file-name.ext
Note
You set both the bucket name and the key prefix values with the (S3_BUCKET_ARN) option setting.
The schema is composed of the following elements:
-
bucket-name– The name of your S3 bucket. -
key-prefix– The custom key prefix you want to use for audit logs. -
instance-name– The name of your Amazon RDS instance. -
audit-name– The name of the audit. -
node– The identifier of the node that is the source of the audit logs (node1ornode2). There is one node for a Single-AZ instance and two replication nodes for a Multi-AZ instance. These are not primary and secondary nodes, because the roles of primary and secondary change over time. Instead, the node identifier is a simple label.-
node1– The first replication node (Single-AZ has one node only). -
node2– The second replication node (Multi-AZ has two nodes).
-
-
file-name– The target file name. The file name is taken as-is from SQL Server. -
ext– The extension of the file (ziporsqlaudit):-
zip– If compression is enabled (default). -
sqlaudit– If compression is disabled.
-
Manually creating an IAM role for SQL Server Audit
Typically, when you create a new option, the Amazon Web Services Management Console creates the IAM role and the IAM trust policy for you. However, you can manually create a new IAM role to use with SQL Server Audits, so that you can customize it with any additional requirements you might have. To do this, you create an IAM role and delegate permissions so that the Amazon RDS service can use your Amazon S3 bucket. When you create this IAM role, you attach trust and permissions policies. The trust policy allows Amazon RDS to assume this role. The permission policy defines the actions that this role can do. For more information, see Creating a role to delegate permissions to an Amazon service in the Amazon Identity and Access Management User Guide.
You can use the examples in this section to create the trust relationships and permissions policies you need.
The following example shows a trust relationship for SQL Server Audit. It uses the service
principal
rds.amazonaws.com to allow RDS to write to the S3 bucket. A service
principal is an identifier that is used to grant permissions to a service. Anytime you allow access to
rds.amazonaws.com in this way, you are allowing RDS to perform an action on your behalf. For more
information about service principals, see Amazon JSON policy elements:
Principal.
Example trust relationship for SQL Server Audit
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "rds.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
We recommend using the aws:SourceArn and aws:SourceAccount global condition context keys in resource-based trust relationships to limit
the service's permissions to a specific resource. This is the most effective way to protect against the confused deputy problem.
You might use both global condition context keys and have the aws:SourceArn value contain the account ID. In
this case, the aws:SourceAccount value and the account in the aws:SourceArn value must use the
same account ID when used in the same statement.
-
Use
aws:SourceArnif you want cross-service access for a single resource. -
Use
aws:SourceAccountif you want to allow any resource in that account to be associated with the cross-service use.
In the trust relationship, make sure to use the aws:SourceArn global condition context key with the full
Amazon Resource Name (ARN) of the resources accessing the role. For SQL Server Audit, make sure to include both the DB
option group and the DB instances, as shown in the following example.
Example trust relationship with global condition context key for SQL Server Audit
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "rds.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceArn": [ "arn:aws-cn:rds:Region:my_account_ID:db:db_instance_identifier", "arn:aws-cn:rds:Region:my_account_ID:og:option_group_name" ] } } } ] }
In the following example of a permissions policy for SQL Server Audit, we specify an ARN for the Amazon S3 bucket. You can use ARNs to identify a specific account, user, or role that you want grant access to. For more information about using ARNs, see Amazon resource names (ARNs).
Example permissions policy for SQL Server Audit
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketACL", "s3:GetBucketLocation" ], "Resource": "arn:aws-cn:s3:::bucket_name" }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload" ], "Resource": "arn:aws-cn:s3:::bucket_name/key_prefix/*" } ] }
Note
The s3:ListAllMyBuckets action is required for verifying that the same Amazon account owns both the S3
bucket and the SQL Server DB instance. The action lists the names of the buckets in the account.
S3 bucket namespaces are global. If you accidentally delete your bucket, another user can create a bucket with the same name in a different account. Then the SQL Server Audit data is written to the new bucket.