Open menu
-->

Redshift Cluster Audit Logging Enabled

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure audit logging is enabled for Redshift clusters for security and troubleshooting purposes.

This rule resolution is part of the Cloud Conformity Security Package

Once enabled, the Amazon Redshift Audit Logging feature starts recoding database usage information such as queries performed and connection attempts, logging data that can be extremely useful for security and compliance audits or troubleshooting sessions.

Audit

To determine if audit logging is enabled for your Amazon Redshift clusters, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.

03 In the left navigation panel, under Redshift Dashboard, click Clusters.

04 Choose the Redshift cluster that you want to examine and click the Show or Hide Item details icon:

Cluster column

to show the selected cluster configuration details.

05 In the Backup, Audit Logging and Maintenance section, verify the Audit Logging Enabled status:

In the Backup, Audit Logging and Maintenance section, verify the Audit Logging Enabled status

If the current status is set to No the database auditing is not enabled for the selected AWS Redshift cluster.

06 Repeat step no. 4 and 5 to verify the feature status for other Redshift clusters available in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-clusters command (OSX/Linux/UNIX) using custom query filters to list the identifiers (names) of all Redshift clusters currently available in the selected region:

aws redshift describe-clusters
	--region us-east-1
	--output table
	--query 'Clusters[*].ClusterIdentifier'

02 The command output should return a table with the requested cluster names:

----------------------
|  DescribeClusters  |
+--------------------+
|  cc-cluster        |
|  cc-cluster-dbrd   |
|  cc-cluster-dbwr   |
+--------------------+

03 Run describe-logging-status command (OSX/Linux/UNIX) using the name of the cluster that you want to examine as identifier to get the Audit Logging feature status for the selected Redshift cluster:

aws redshift describe-logging-status
	--region us-east-1
	--cluster-identifier cc-cluster

04 The command output should return the feature current status (true for enabled and false for disabled):

{
    "LoggingEnabled": false
}

If the LoggingEnabled property value is false, the database auditing is not enabled for the selected AWS Redshift cluster.

05 Repeat step no. 3 and 4 for each Redshift cluster available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To modify your Amazon Redshift clusters configuration in order to enable audit logging for the databases provisioned within these clusters, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.

03 In the left navigation panel, under Redshift Dashboard, click Clusters.

04 Choose the Redshift cluster that you want to modify then click on its identifier:

Cluster Column

listed in the Cluster column.

05 On the selected cluster configuration page, click the Database dropdown button from the dashboard top menu then click Configure Audit Logging.

06 Inside the Configure Audit Logging dialog box, perform the following actions:

  1. For Enable Audit Logging select Yes.
  2. For S3 Bucket select one of the following options based on your preferences:
    • Select Use Existing to store the log files within an existing S3 bucket and choose the name of this bucket from the Bucket* dropdown list. (Optional) In the S3 Key Prefix box you can provide a unique prefix for the log file names.
    • Select Create New to create a new S3 bucket for log files storage and provide a name for it in the New Bucket Name* box. (Optional) In the S3 Key Prefix box you can provide a unique prefix for the log file names generated by Redshift.
  3. Click Save to enable the feature. The Audit Logging Enabled status should change to Yes.

07 Repeat steps no. 4 - 6 to enable audit logging for other Redshift clusters provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run list-queues command (OSX/Linux/UNIX) to expose all SQS queues available in the selected region and their URLs:

aws s3api create-bucket
	--region us-east-1
	--bucket aws-redshift-audit-logs

02 The command output should return the new S3 bucket location:

{
    "Location": "/aws-redshift-audit-logs"
}

03 Run enable-logging command (OSX/Linux/UNIX) using the name of the cluster that you want to modify as identifier (see Audit section part II, step no. 2) and the S3 bucket location returned at the previous step to enable audit logging for the selected Amazon Redshift cluster:

aws aws redshift enable-logging
	--region us-east-1
	--cluster-identifier cc-cluster
	--bucket-name aws-redshift-audit-logs

04 The command output should return the Redshift cluster audit logging configuration metadata:

{
    "LoggingEnabled": true,
    "BucketName": "aws-redshift-audit-logs"
}

05 Repeat steps no. 1 - 4 to enable audit logging for other Redshift clusters available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 for other regions.

References

Publication date Sep 16, 2016