Description: 

Amazon Redshift is a data warehouse service. It is a collection of computing resources called nodes, organized into a cluster called a cluster that gives information about connections and user activities in your database. The logs are stored in Amazon S3 buckets.


Rationale:

When auditing is enabled all logs will be stored in Amazon S3 Buckets. These logs help you to monitor the database for security and troubleshooting purposes.


Impact:

Enabling auditing logging provides convenient access with data security features for users responsible for monitoring activities in the database.


Default Value:

Audit logging is not enabled by default in Amazon Redshift. 


Pre-requisites:

  1. Need an S3 bucket to store logs

  2. Should log in as admin or IAM user with required permissions to edit the Redshift settings.


Remediation:


Test Plan:

  1. Sign in to the Amazon Management Console

  2. Go to the Redshift dashboard at https://console.aws.amazon.com/redshiftv2/

  3. Click on Clusters, In the left navigation pane

  4. Select the Cluster you need to audit

  5. After selecting the cluster, go to the Properties tab

  6. On the right side, the audit logging status is displayed.
    If you notice it is disabled then follow the implementation steps to enable it.


Using AWS CLI:

To describe logging status for a cluster 

aws redshift describe-logging-status \
    --cluster-identifier <value>


Implementation steps:

  1. Sign in to the Amazon Management Console

  2. Go to the Redshift dashboard at https://console.aws.amazon.com/redshiftv2/

  3. Click on Clusters, In the left navigation pane

  4. Select the Cluster for which you need to enable audit logging
  5. After selecting the cluster, go to the Properties tab
  6. Click edit on the right side
  7. From the dropdown menu select Edit Audit Logging

8. After clicking it a pop-up appears. choose Enable. Create a new s3 bucket or use an existing bucket to store the logs.

9. Finally, click Save Changes.



Backout plan:

  1. Sign in to the Amazon Management Console

  2. Go to the Redshift dashboard at https://console.aws.amazon.com/redshiftv2/

  3. Click on Clusters, In the left navigation pane

  4. Select the Cluster for which you need to enable audit logging

  5. After selecting the cluster, click on Properties

  6. Click edit on the right side

  7. From the dropdown menu select Edit Audit Logging

  8. After clicking it a pop-up appears. choose Disable and click on save changes


References:

Database audit logging - Amazon Redshift