Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Redshift

Redshift.4: Redshift clusters should have audit logging

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Redshift.4 check?

Redshift.4 checks the cluster's LoggingProperties and fails when audit logging is not enabled. Audit logging records connection events, user activity, and user-definition changes and ships them to S3 or CloudWatch Logs.

Why does Redshift.4 matter?

Logging is the control you most regret not having after the fact. When you need to answer "who touched this table?" or "which credential ran that bulk export?", the audit trail either exists or it doesn't — and a warehouse holds the most aggregated, sensitive data you have. The control maps to NIST 800-53 AU-2/AU-3/AU-10/AU-12 and PCI DSS v4.0.1 requirement 10.2.1.

How do I fix Redshift.4?

  1. Enable audit logging on the cluster, choosing an S3 destination (and CloudWatch Logs for alerting).
  2. Grant Redshift's logging service the bucket permissions it needs to write logs.
  3. Set a sensible retention/lifecycle policy on the log destination.
  4. Stream logs to CloudWatch and alert on anomalous access patterns.

Remediation script · bash

# Enable CloudWatch log export on a flagged RDS instance, then cap retention.
aws rds modify-db-instance \
  --db-instance-identifier prod-orders-pg \
  --cloudwatch-logs-exports-configuration 'EnableLogTypes=["postgresql","upgrade"]' \
  --apply-immediately

aws logs put-retention-policy \
  --log-group-name /aws/rds/instance/prod-orders-pg/postgresql \
  --retention-in-days 90

# Enable audit logging on a Redshift cluster to a policy-attached S3 bucket.
aws redshift enable-logging \
  --cluster-identifier analytics-prod \
  --bucket-name redshift-audit-logs-acct123 \
  --s3-key-prefix analytics-prod/

Full walkthrough (console steps, edge cases and verification) in the lesson Enable database audit and log exports.

Full lesson Enable database audit and log exports Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Redshift controls ↗ Check your own account for Redshift.4 →
Part of the learning path Tighten your databases

More Redshift controls

  • Redshift.1 A Redshift cluster is publicly accessible
  • Redshift.2 Connections to Redshift should be encrypted in transit
  • Redshift.3 Redshift clusters should have automatic snapshots
  • Redshift.6 Redshift should auto-upgrade major versions
  • Redshift.7 Redshift clusters should use enhanced VPC routing
  • Redshift.8 Redshift should not use the default admin username
  • Redshift.10 Redshift clusters should be encrypted at rest
  • Redshift.15 Redshift accepts cluster-port traffic from anywhere
  • Redshift.16 Redshift subnet groups should span multiple AZs
  • Redshift.18 Redshift clusters should have Multi-AZ enabled