AWS RDS DAM
Enable Database Activity Monitoring for AWS RDS databases via audit logs.
Overview
Amazon RDS does not support kernel-level agents like eBPF, so Aurva captures activity through RDS's native audit log facility. The Aurva Controller running in your Data Plane periodically pulls audit log files from RDS, stages them in S3, and processes them into the structured query events you see in the Audit Trail.
Architecture
The Aurva Controller runs two dedicated threads against each monitored RDS instance:
- Log Exporter — calls the AWS RDS API (
rds.<region>.amazonaws.com) to enumerate and download new audit log files, then uploads them to a staging S3 bucket via the S3 API. - Log Parser — reads files from S3, extracts queries, source IPs, and database users, and forwards the structured results to the Aurva Control Plane for storage, alerting, and visualization.
At normal load Aurva makes fewer than 1 RDS API call per second, even at scale: monitoring 100 databases produces roughly 206 API calls every 5 minutes.
AWS API Usage
| Field | Value |
|---|---|
| API base URL | rds.<region>.amazonaws.com |
| API endpoints used | v13/downloadCompleteLogFile, v13/describeDBLogFiles |
| Aurva rate limit | Maximum 3 calls per 5 minutes per pod |
| AWS service limit | 10 requests per second (well above Aurva's usage) |
Prerequisites
- The Aurva Data Plane must already be deployed in the same AWS account or in an account with cross-account access. See Data Plane on AWS EKS or Data Plane on AWS VMs (Terraform).
- The IAM role assumed by the Data Plane must include the RDS log access permissions documented in AWS IAM Permissions for the Data Plane.
- RDS audit logging must be enabled on each target instance via the appropriate parameter group (e.g.,
rds.force_admin_logging_level,general_log,pgaudit.log).
Enable RDS Monitoring
- Confirm audit logging is enabled on the RDS instance and the relevant log group is being written to.
- In the Aurva console, open Settings → Monitoring Configuration and click + Add Asset to Monitor.
- Select the RDS instance and choose Cloud Log Exporter as the collection method.
- Configure the storage policy. See Monitoring Configuration for the full reference.
Within a few minutes the new asset should report a healthy status and queries should begin appearing in the Audit Trail.