(aws_docdb): support audit logging

[ahammond]

Description

In order to use data stores while remaining HIPAA compliant, we need to log an audit trail. DocDB has support for this https://docs.aws.amazon.com/documentdb/latest/developerguide/event-auditing.html#event-auditing-enabling-auditing but it doesn't look like there's any way to enable this via CDK. We had a similar problem with RDS and solved it using a CustomResource lambda. Is there something like this for DocDB?

Use Case

HIPAA compliance

Proposed Solution

new aws_docdb.DatabaseCluster(this, 'Name', { audit: true, ... });

When this is enabled, it would automatically create a customer Parameter Group to match the DB with audit_logs: 'enabled' and then it would trigger a custom resource that would run the equivalent of

aws docdb modify-db-cluster \
   --db-cluster-identifier sample-cluster \
   --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'

Other information

No response

Acknowledge

• I may be able to implement this feature request
• This feature might incur a breaking change

[skinny85]

Thanks for opening the issue @ahammond! As always, we encourage community contributions, so if you'd like to open us a Pull Request adding this feature, that would be fantastic! Our "Contributing" guide: https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md.

Thanks,
Adam

[markussiebert]

So maybe you can review my pr or give me some tipps?

@skinny85

[skinny85]

So maybe you can review my pr or give me some tipps?

@skinny85

Will do 🙂.