Setting up the pgAudit extension
To set up the pgAudit extension on your RDS for PostgreSQL DB instance , you first add pgAudit to the shared libraries on the custom DB parameter group for your RDS for PostgreSQL DB instance. For information about creating a custom DB parameter group, see Parameter groups for Amazon RDS. Next, you install the pgAudit extension. Finally, you specify the databases and objects that you want to audit. The procedures in this section show you how. You can use the AWS Management Console or the AWS CLI.
You must have permissions as the rds_superuser role to perform all these tasks.
The steps following assume that your RDS for PostgreSQL DB instance is associated with a custom DB parameter group.
To set up the pgAudit extension
Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/
. -
In the navigation pane, choose your RDS for PostgreSQL DB instance.
-
Open the Configuration tab for your RDS for PostgreSQL DB instance. Among the Instance details, find the Parameter group link.
-
Choose the link to open the custom parameters associated with your RDS for PostgreSQL DB instance.
-
In the Parameters search field, type
shared_preto find theshared_preload_librariesparameter. -
Choose Edit parameters to access the property values.
-
Add
pgauditto the list in the Values field. Use a comma to separate items in the list of values.
Reboot the RDS for PostgreSQL DB instance so that your change to the
shared_preload_librariesparameter takes effect.When the instance is available, verify that pgAudit has been initialized. Use
psqlto connect to the RDS for PostgreSQL DB instance, and then run the following command.SHOW shared_preload_libraries;shared_preload_libraries -------------------------- rdsutils,pgaudit (1 row)With pgAudit initialized, you can now create the extension. You need to create the extension after initializing the library because the
pgauditextension installs event triggers for auditing data definition language (DDL) statements.CREATE EXTENSION pgaudit;Close the
psqlsession.labdb=>\qSign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/
. Find the
pgaudit.logparameter in the list and set to the appropriate value for your use case. For example, setting thepgaudit.logparameter towriteas shown in the following image captures inserts, updates, deletes, and some other types changes to the log.
You can also choose one of the following values for the
pgaudit.logparameter.none – This is the default. No database changes are logged.
all – Logs everything (read, write, function, role, ddl, misc).
ddl – Logs all data definition language (DDL) statements that aren't included in the
ROLEclass.function – Logs function calls and
DOblocks.misc – Logs miscellaneous commands, such as
DISCARD,FETCH,CHECKPOINT,VACUUM, andSET.read – Logs
SELECTandCOPYwhen the source is a relation (such as a table) or a query.role – Logs statements related to roles and privileges, such as
GRANT,REVOKE,CREATE ROLE,ALTER ROLE, andDROP ROLE.write – Logs
INSERT,UPDATE,DELETE,TRUNCATE, andCOPYwhen the destination is a relation (table).
Choose Save changes.
Open the Amazon RDS console at https://console.aws.amazon.com/rds/
. Choose your RDS for PostgreSQL DB instance from the Databases list.
To setup pgAudit
To setup pgAudit using the AWS CLI, you call the modify-db-parameter-group operation to modify the audit log parameters in your custom parameter group, as shown in the following procedure.
Use the following AWS CLI command to add
pgauditto theshared_preload_librariesparameter.aws rds modify-db-parameter-group \ --db-parameter-group-namecustom-param-group-name\ --parameters "ParameterName=shared_preload_libraries,ParameterValue=pgaudit,ApplyMethod=pending-reboot" \ --regionaws-region-
Use the following AWS CLI command to reboot the RDS for PostgreSQL DB instance so that the pgaudit library is initialized.
aws rds reboot-db-instance \ --db-instance-identifieryour-instance\ --regionaws-region When the instance is available, you can verify that
pgaudithas been initialized. Usepsqlto connect to the RDS for PostgreSQL DB instance, and then run the following command.SHOW shared_preload_libraries;shared_preload_libraries -------------------------- rdsutils,pgaudit (1 row)With pgAudit initialized, you can now create the extension.
CREATE EXTENSION pgaudit;Close the
psqlsession so that you can use the AWS CLI.labdb=>\qUse the following AWS CLI command to specify the classes of statement that want logged by session audit logging. The example sets the
pgaudit.logparameter towrite, which captures inserts, updates, and deletes to the log.aws rds modify-db-parameter-group \ --db-parameter-group-namecustom-param-group-name\ --parameters "ParameterName=pgaudit.log,ParameterValue=write,ApplyMethod=pending-reboot" \ --regionaws-regionYou can also choose one of the following values for the
pgaudit.logparameter.none – This is the default. No database changes are logged.
all – Logs everything (read, write, function, role, ddl, misc).
ddl – Logs all data definition language (DDL) statements that aren't included in the
ROLEclass.function – Logs function calls and
DOblocks.misc – Logs miscellaneous commands, such as
DISCARD,FETCH,CHECKPOINT,VACUUM, andSET.read – Logs
SELECTandCOPYwhen the source is a relation (such as a table) or a query.role – Logs statements related to roles and privileges, such as
GRANT,REVOKE,CREATE ROLE,ALTER ROLE, andDROP ROLE.write – Logs
INSERT,UPDATE,DELETE,TRUNCATE, andCOPYwhen the destination is a relation (table).
Reboot the RDS for PostgreSQL DB instance using the following AWS CLI command.
aws rds reboot-db-instance \ --db-instance-identifieryour-instance\ --regionaws-region
