For Redgate Monitor to utilize SQL Audit in an Amazon RDS instance there is a setup to complete as per AWS's guidelines. Below are the steps for it, with links to AWS's website for further information and our own observations.

Setup

Create an S3 bucket.

The first step involves the Create a New S3 Bucket, if you do not have one already, as this is requested when we create the Option Group. Usually the default settings are fine to leave as is, but it is important that the region matches the same as the database, that this bucket is not open to the public and Object Lock is left as Disable. There is more information on this page about configuring S3 buckets for SQL Audit.

Create an Option Group

Next, we need to Create an Option Group and these are the important steps:

• Keeping hold of the following information: Engine being used and its Engine Version.
• Setting the Option name to SQLSERVER_AUDIT and the S3 Bucket to our bucket of choice (the one created above or a pre-existing one).
• For the IAM role, selecting Create a new role and giving it a name. It is easier to create it here as the option group will create a custom role with the necessary information in it.
• We recommend to Enable compression and Enable retention. Without enabling retention the audit logs will be deleted immediately after their offloading from the RDS instance.

Adding the Option Group to an instance

The option group is now ready to be added to your instance. This can either be done through the Modify option on an existing instance or applied when creating a new one.

SQL Audit setup on Redgate Monitor

Please refer to the Permission Changes page and Permissions required to monitor SQL Server page for further information on permissions required, including giving permissions to other roles.