🛡️ AWS Redshift Cluster Audit Logging is not enabled🟢

• Contextual name: 🛡️ Cluster Audit Logging is not enabled🟢
• ID: /ce/ca/aws/redshift/cluster-audit-logging
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS Redshift Cluster
  • 🔌 AWS Redshift Cluster - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [Redshift.4] Amazon Redshift clusters should have audit logging enabled
• Cloud Conformity: Redshift Cluster Audit Logging Enabled

Description

Open File

Description

This policy identifies AWS Redshift Clusters that do not have audit logging enabled. Audit logging allows you to track information about connections, user activity, and engine performance.

Rationale

Enabling audit logging is a security best practice for data warehouses. It provides detection of unauthorized access attempts or suspicious query patterns. Investigating performance issues or unexpected changes to the database schema.

Without audit logging, there is no historical record of who accessed the data or what actions were performed within the cluster.

Audit

This policy flags an AWS Redshift Cluster as INCOMPLIANT if Logging is not Enabled.

Remediation

Open File

Remediation

Enable Audit Logging

To enable audit logging for an Amazon Redshift cluster, update the cluster configuration to export database audit logs to Amazon S3 or Amazon CloudWatch Logs. Audit logging captures connection activity and user actions, supporting security monitoring, compliance, and operational troubleshooting.

From the AWS Management Console

1. Sign in to the AWS Management Console and open the Amazon Redshift console

2. From the navigation pane, choose Clusters, then select the Redshift cluster you want to modify.

3. Choose the Properties tab.

4. In the Database configurations section, choose Edit, then select Edit audit logging.

5. On the Edit audit logging page:

   • Choose Turn on.

   • Select a log destination:

     • Amazon S3, or
     • Amazon CloudWatch Logs (recommended for centralized logging, simplified administration, and log analysis).

   • Select the log types to export.

6. Choose Save changes to apply the configuration.

From the Command Line

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.4] Amazon Redshift clusters should have audit logging enabled			1		no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			75		no data
💼 FedRAMP High Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			21		no data
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		7	31		no data
💼 FedRAMP High Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			26		no data
💼 FedRAMP High Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		37		no data
💼 FedRAMP High Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			16		no data
💼 FedRAMP High Security Controls → 💼 AU-6(4) Central Review and Analysis (H)			16		no data
💼 FedRAMP High Security Controls → 💼 AU-10 Non-repudiation (H)			15		no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		73		no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		27		no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		48	56		no data
💼 FedRAMP Low Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			26		no data
💼 FedRAMP Low Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)			23		no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			73		no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		27		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			21		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			31		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			26		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		37		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			16		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			73		no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		27		no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			50		no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			65		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			178		no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			27		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			100		no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			50		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			179		no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			45		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			59		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			60		no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			46		no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			49		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(4) Account Management _ Automated Audit Actions		14	21		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		17	24		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-2 Event Logging	4		26		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3 Content of Audit Records	3	13	37		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories			16		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis			16		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-10 Non-repudiation	5		15		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	47	73		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		27		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			32		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands			12		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(20) System Monitoring _ Privileged Users			11		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events			16		no data
💼 PCI DSS v3.2.1 → 💼 10.2 Implement automated audit trails for all system components.	7	6	33		no data
💼 PCI DSS v4.0.1 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7		32		no data
💼 PCI DSS v4.0 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7	1	32		no data