Custom Lambda function to enable logs types to publish RDS logs to Amazon CloudWatch Logs

CustomResourceSample.yaml

---
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  EnableLogs:
    Type: Custom::EnableLogs
    Version: '1.0'
    Properties:
      ServiceToken: arn:aws:lambda:us-east-1:acc:function:rds-EnableRDSLogs-1O6XLL6LWNR5Z
      DBInstanceIdentifier: mydb
Outputs:
  Status:
    Value:
      Fn::GetAtt:
      - EnableLogs
      - Data

EnableLogs.py

import json
import cfnresponse
import boto3
from botocore.exceptions import ClientError

client = boto3.client("rds")

def handler(event, context):
	DBInstanceIdentifier = event['ResourceProperties']['DBInstanceIdentifier']
	responseData = {}
	if event['RequestType'] == "Delete":
		logs_status = {'DisableLogTypes': ['audit', 'error', 'general', 'slowquery']}
	else:
		logs_status = {'EnableLogTypes': ['audit', 'error', 'general', 'slowquery']}

	try:
		response = client.modify_db_instance(
			DBInstanceIdentifier=DBInstanceIdentifier,
			ApplyImmediately=True,
			CloudwatchLogsExportConfiguration=logs_status)
		responseData['Data'] = "SUCCESS"
		status=cfnresponse.SUCCESS
	except ClientError as e:
		responseData['Data'] = "FAILED"
		status=cfnresponse.FAILED
		print("Unexpected error: %s" % e)

	cfnresponse.send(event, context, status, responseData, "CustomResourcePhysicalID")

EnableRDSLogs.yaml

---
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  LambdaExecutionRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: !Sub 'Enable-Role'
      Path: "/"     
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
          Action: sts:AssumeRole      
  RolePolicies:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      ManagedPolicyName: "LambdaExecutionRole-policy"
      Roles:
        - Ref: "LambdaExecutionRole"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:       
        - Effect: Allow
          Action:
          - rds:ModifyDBInstance
          Resource:
          - "*" 
        - Effect: Allow
          Action:
          - logs:CreateLogGroup
          - logs:CreateLogStream
          - logs:PutLogEvents
          Resource:
          - "*" 

  EnableRDSLogs: 
    Type: "AWS::Lambda::Function"
    Properties: 
      Handler: "index.handler"
      Role: 
        Fn::GetAtt: 
          - "LambdaExecutionRole"
          - "Arn"
      Code: 
        ZipFile: |
          import json
          import cfnresponse
          import boto3
          from botocore.exceptions import ClientError

          client = boto3.client("rds")

          def handler(event, context):
            DBInstanceIdentifier = event['ResourceProperties']['DBInstanceIdentifier']
            responseData = {}
            if event['RequestType'] == "Delete":
              logs_status = {'DisableLogTypes': ['audit', 'error', 'general', 'slowquery']}
            else:
              logs_status = {'EnableLogTypes': ['audit', 'error', 'general', 'slowquery']}

            try:
              response = client.modify_db_instance(
                DBInstanceIdentifier=DBInstanceIdentifier,
                ApplyImmediately=True,
                CloudwatchLogsExportConfiguration=logs_status)
              responseData['Data'] = "SUCCESS"
              status=cfnresponse.SUCCESS
            except ClientError as e:
              responseData['Data'] = "FAILED"
              status=cfnresponse.FAILED
              print("Unexpected error: %s" % e)

            cfnresponse.send(event, context, status, responseData, "CustomResourcePhysicalID")
      Runtime: "python3.6"