turbot/steampipe-mod-aws-compliance

Control: 6 Redshift Serverless namespaces should export logs to CloudWatch Logs

Description

This control checks whether an Amazon Redshift Serverless namespace is configured to export connection and user logs to Amazon CloudWatch Logs. The control fails if the Redshift Serverless namespace isn't configured to export the logs to CloudWatch Logs.

If you configure Amazon Redshift Serverless to export connection log (connectionlog) and user log (userlog) data to a log group in Amazon CloudWatch Logs, you can collect and store your log records in durable storage, which can support security, access, and availability reviews and audits. With CloudWatch Logs, you can also perform real-time analysis of log data and use CloudWatch to create alarms and review metrics.

Remediation

To export log data for an Amazon Redshift Serverless namespace to Amazon CloudWatch Logs, the respective logs must be selected for export in the audit logging configuration settings for the namespace. For information about updating these settings, see Editing security and encryption in the Amazon Redshift Management Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_redshiftserverless_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_redshiftserverless_6 --share

SQL

This control uses a named query:

select
namespace_arn as resource,
case
when log_exports @> '["connectionlog", "userlog"]' then 'ok'
else 'alarm'
end as status,
case
when log_exports @> '["connectionlog", "userlog"]' then title || ' exports connection and user logs to cloudwatch.'
when log_exports @> '["connectionlog"]' then title || ' exports only connection logs to cloudwatch.'
when log_exports @> '["userlog"]' then title || ' exports only user logs to cloudwatch.'
else title || ' does not export connection and user log to cloudwatch.'
end as reason
, region, account_id
from
aws_redshiftserverless_namespace;

Tags