🚀 Launch Week 10, September 22nd - 26th, 2025 🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: Redshift Serverless namespaces should export logs to CloudWatch Logs

Description

This control checks whether an Amazon Redshift Serverless namespace is configured to export connection and user logs to Amazon CloudWatch Logs. The control fails if the Redshift Serverless namespace isn't configured to export the logs to CloudWatch Logs.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.redshiftserverless_namespace_export_connection_and_user_log_to_cloudwatch

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.redshiftserverless_namespace_export_connection_and_user_log_to_cloudwatch --share

SQL

This control uses a named query:

select
  namespace_arn as resource,
  case
    when log_exports @> '["connectionlog", "userlog"]' then 'ok'
    else 'alarm'
  end as status,
  case
    when log_exports @> '["connectionlog", "userlog"]' then title || ' exports connection and user logs to cloudwatch.'
    when log_exports @> '["connectionlog"]' then title || ' exports only connection logs to cloudwatch.'
    when log_exports @> '["userlog"]' then title || ' exports only user logs to cloudwatch.'
    else title || ' does not export connection and user log to cloudwatch.'
  end as reason
  
  , region, account_id
from
  aws_redshiftserverless_namespace;

Tags

category = Compliance
plugin = aws
service = AWS/RedshiftServerless