Ensure AWS Redshift database has audit logging enabled

Error: AWS Redshift database does not have audit logging enabled

Bridgecrew Policy ID: BC_AWS_LOGGING_12
Checkov Check ID: CKV_AWS_71
Severity: MEDIUM

AWS Redshift database does not have audit logging enabled

Description

Amazon Redshift logs information about connections and user activities in your database. These logs help you to monitor the database for security and troubleshooting purposes, a process often referred to as database auditing. The logs are stored in Amazon S3 buckets. These provide convenient access with data security features for users who are responsible for monitoring activities in the database.

Enabling S3 bucket logging on Redshift databases allows you to capture all events which may affect the database, this is useful in security and incident response workflows.

Fix - Runtime

AWS Console

To enable Redshift to S3 bucket logging using the AWS Management Console, follow these steps:

  1. Log in to the AWS Management Console at [https://console.aws.amazon.com/].
  2. Open the Amazon Redshift console.
  3. On the navigation menu, choose Clusters, then choose the cluster that you want to update.
  4. Choose the Maintenance and Monitoring tab. Then view the Audit logging section.
  5. Choose Edit tab.
  6. On the Configure audit logging page, choose to Enable audit logging and enter your choices regarding where the logs are stored.
  7. Click Confirm.

Fix - Buildtime

Terraform

  • Resource: aws_redshift_cluster
  • Argument: logging/enable is set to true.
    An example terraform definition of an Amazon Redshift database with logging enabled, resolving the violation:
resource "aws_redshift_cluster" "default" {
    ...
    cluster_type       = "single-node"
+   logging {
+     enable = "true"
+   }
  }

CloudFormation

  • Resource: AWS::Redshift::Cluster
  • Argument: Properties.BucketName
Type: "AWS::Redshift::Cluster"
    Properties:
      ...
+     LoggingProperties:
+       BucketName: "your_bucket"