Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Redshift Cluster Audit Logging Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: RS-006

Ensure audit logging is enabled for Redshift clusters for security and troubleshooting purposes.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Once enabled, the Amazon Redshift Audit Logging feature starts recoding database usage information such as queries performed and connection attempts, logging data that can be extremely useful for security and compliance audits or troubleshooting sessions.

Audit

To determine if audit logging is enabled for your Amazon Redshift clusters, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.

03 In the left navigation panel, under Redshift Dashboard, click Clusters.

04 Choose the Redshift cluster that you want to examine and click the Show or Hide Item details icon:

Cluster column

to show the selected cluster configuration details.

05 In the Backup, Audit Logging and Maintenance section, verify the Audit Logging Enabled status:

In the Backup, Audit Logging and Maintenance section, verify the Audit Logging Enabled status

If the current status is set to No the database auditing is not enabled for the selected AWS Redshift cluster.

06 Repeat step no. 4 and 5 to verify the feature status for other Redshift clusters available in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-clusters command (OSX/Linux/UNIX) using custom query filters to list the identifiers (names) of all Redshift clusters currently available in the selected region: 

aws redshift describe-clusters
	--region us-east-1
	--output table
	--query 'Clusters[*].ClusterIdentifier'

02 The command output should return a table with the requested cluster names: 

----------------------
|  DescribeClusters  |
+--------------------+
|  cc-cluster        |
|  cc-cluster-dbrd   |
|  cc-cluster-dbwr   |
+--------------------+

03 Run describe-logging-status command (OSX/Linux/UNIX) using the name of the cluster that you want to examine as identifier to get the Audit Logging feature status for the selected Redshift cluster: 

aws redshift describe-logging-status
	--region us-east-1
	--cluster-identifier cc-cluster

04 The command output should return the feature current status (true for enabled and false for disabled): 

{
    "LoggingEnabled": false
}

If the LoggingEnabled property value is false, the database auditing is not enabled for the selected AWS Redshift cluster.

05 Repeat step no. 3 and 4 for each Redshift cluster available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To modify your Amazon Redshift clusters configuration in order to enable audit logging for the databases provisioned within these clusters, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.

03 In the left navigation panel, under Redshift Dashboard, click Clusters.

04 Choose the Redshift cluster that you want to modify then click on its identifier:

Cluster Column

listed in the Cluster column.

05 On the selected cluster configuration page, click the Database dropdown button from the dashboard top menu then click Configure Audit Logging.

06 Inside the Configure Audit Logging dialog box, perform the following actions:

  1. For Enable Audit Logging select Yes.
  2. For S3 Bucket select one of the following options based on your preferences:
    • Select Use Existing to store the log files within an existing S3 bucket and choose the name of this bucket from the Bucket* dropdown list. (Optional) In the S3 Key Prefix box you can provide a unique prefix for the log file names.
    • Select Create New to create a new S3 bucket for log files storage and provide a name for it in the New Bucket Name* box. (Optional) In the S3 Key Prefix box you can provide a unique prefix for the log file names generated by Redshift.
  3. Click Save to enable the feature. The Audit Logging Enabled status should change to Yes.

07 Repeat steps no. 4 - 6 to enable audit logging for other Redshift clusters provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run list-queues command (OSX/Linux/UNIX) to expose all SQS queues available in the selected region and their URLs: 

aws s3api create-bucket
	--region us-east-1
	--bucket aws-redshift-audit-logs

02 The command output should return the new S3 bucket location: 

{
    "Location": "/aws-redshift-audit-logs"
}

03 Run enable-logging command (OSX/Linux/UNIX) using the name of the cluster that you want to modify as identifier (see Audit section part II, step no. 2) and the S3 bucket location returned at the previous step to enable audit logging for the selected Amazon Redshift cluster: 

aws aws redshift enable-logging
	--region us-east-1
	--cluster-identifier cc-cluster
	--bucket-name aws-redshift-audit-logs

04 The command output should return the Redshift cluster audit logging configuration metadata: 

{
    "LoggingEnabled": true,
    "BucketName": "aws-redshift-audit-logs"
}

05 Repeat steps no. 1 - 4 to enable audit logging for other Redshift clusters available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 for other regions.

References

Publication date Sep 16, 2016

Related Redshift rules