Profile Applicability:

  • Level 1


Description:

This control ensures that Amazon Redshift audit logging is enabled to capture user activity, connection attempts, and SQL operations. Audit logs provide visibility into actions performed on the cluster, helping administrators monitor activity, detect suspicious behavior, and meet compliance requirements. Audit logs can be exported to Amazon S3 for long-term storage and analysis.


Rationale:

Enabling audit logging on Redshift helps:

  • Track user activities and database changes for accountability and investigations.

  • Identify unauthorized access attempts or unusual query patterns.

  • Support compliance with frameworks such as SOC 2, ISO 27001, HIPAA, and CIS AWS Foundations Benchmark.
    Without audit logging, organizations lack visibility into user and system-level activities, increasing the risk of undetected breaches or data misuse.


Impact:

  • Positive Impact:Provides a clear audit trail for Redshift operations.Enhances detection and response capabilities for security events.Supports forensic analysis and compliance reporting.
  • Negative Impact: Slight additional S3 storage cost for log files. Requires ongoing S3 bucket management and access control.


Default Value:

By default, Redshift audit logging is disabled. It must be explicitly enabled to send logs to an S3 bucket.


Pre-Requisite:

  • IAM permissions required:
    • redshift:DescribeClusters
    • redshift:EnableLogging
    • redshift:DescribeLoggingStatus
  • An S3 bucket in the same region as the Redshift cluster, with appropriate permissions for Redshift to write logs.


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Redshift → Clusters.

  3. Select the cluster to review.

  4. Under the Properties tab, scroll to Database configurations → Logging.

  5. Verify that:

    • Logging is Enabled.

    • An S3 bucket is specified for log storage.

    • Log destination type is Amazon S3.

  6. If logging is disabled, follow the implementation plan to enable it.


Implementation Plan

Using AWS Console:

  1. Navigate to Amazon Redshift → Clusters → [Your Cluster].

  2. Choose the Properties tab.

  3. Under Database configurations, find the Logging section.

  4. Click Edit.

  5. Select Enable logging.

  6. Choose an existing S3 bucket for log storage (or create a new one).

  7. Specify an S3 key prefix (optional) to organize logs.

  8. Click Save changes.

Audit logs will now be automatically delivered to the specified S3 bucket.


Backout Plan

Using AWS Console:

  1. Go to Amazon Redshift → Clusters → [Your Cluster].

  2. Under Database configurations → Logging, choose Edit.

  3. Uncheck Enable logging and save changes.


References: