RDS instance log connections disabled

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > RDS instance log connections disabled

Metadata

Id: 140869ea-25f2-40d4-a595-0c0da135114e

Cloud Provider: Alicloud

Platform: Terraform

Severity: Medium

Category: Observability

Learn More

Provider Reference

Description

The log_connections parameter should be set to ON for RDS instances. This rule flags alicloud_db_instance resources when the parameters array does not include a log_connections entry or when value = "OFF". Remediation is to add or replace the parameters entry with name = "log_connections" and value = "ON".

Compliant Code Examples

resource "alicloud_db_instance" "default" {
    engine = "MySQL"
    engine_version = "5.6"
    db_instance_class = "rds.mysql.t1.small"
    db_instance_storage = "10"
    parameters = [{
        name = "innodb_large_prefix"
        value = "ON"
    },{
        name = "connect_timeout"
        value = "50"
    },{
        name = "log_connections"
        value = "ON"
    }]
}

Non-Compliant Code Examples

resource "alicloud_db_instance" "default" {
    engine = "MySQL"
    engine_version = "5.6"
    db_instance_class = "rds.mysql.t1.small"
    db_instance_storage = "10"
    parameters = [{
        name = "innodb_large_prefix"
        value = "ON"
    },{
        name = "connect_timeout"
        value = "50"
    },{
        name = "log_connections"
        value = "OFF"
    }]
}

resource "alicloud_db_instance" "default" {
    engine = "MySQL"
    engine_version = "5.6"
    db_instance_class = "rds.mysql.t1.small"
    db_instance_storage = "10"
}

resource "alicloud_db_instance" "default" {
    engine = "MySQL"
    engine_version = "5.6"
    db_instance_class = "rds.mysql.t1.small"
    db_instance_storage = "10"
    parameters = [{
        name = "innodb_large_prefix"
        value = "ON"
    },{
        name = "connect_timeout"
        value = "50"
    }]
}