AWS Certified Database – Specialty — Question 289

A company is loading sensitive data into an Amazon Aurora MySQL database. To meet compliance requirements, the company needs to enable audit logging on the Aurora MySQL DB cluster to audit database activity. This logging will include events such as connections, disconnections, queries, and tables queried. The company also needs to publish the DB logs to Amazon CloudWatch to perform real-time data analysis.
Which solution meets these requirements?

Answer options

• A. Modify the default option group parameters to enable Advanced Auditing. Restart the database for the changes to take effect.
• B. Create a custom DB cluster parameter group. Modify the parameters for Advanced Auditing. Modify the cluster to associate the new custom DB parameter group with the Aurora MySQL DB cluster.
• C. Take a snapshot of the database. Create a new DB instance, and enable custom auditing and logging to CloudWatch. Deactivate the DB instance that has no logging.
• D. Enable AWS CloudTrail for the DB instance. Create a filter that provides only connections, disconnections, queries, and tables queried.

Correct answer: B

Explanation

To enable Advanced Auditing in Amazon Aurora MySQL, you must use a custom DB cluster parameter group because default parameter groups cannot be modified. Once the custom group is created and parameters like server_audit_logging and server_audit_events are configured, you associate it with the cluster to capture the required events. AWS CloudTrail is incorrect because it only captures management API events, not database-level queries or tables accessed.