How do I turn on audit logging in Amazon Redshift and Amazon Redshift Serverless?

Short description

Amazon Redshift database audit logging preserves the following types of information:

• Connection logs that log authentication attempts, connections, and disconnections.
• User logs that log information about changes to database user definitions.
• User activity logs that log each query before it's run on the database.

Note: To record user activity logs for an Amazon Redshift provisioned cluster, make sure that you set up the parameter groups in the resolution.

For Amazon Redshift provisioned cluster, the logs can be stored in Amazon Simple Storage Service (Amazon S3) bucket or Amazon CloudWatch. For Amazon Redshift Serverless, the logs can only be stored in CloudWatch.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Turn on audit logging in an Amazon Redshift provisioned cluster

Complete the following steps:

1. Open the Amazon Redshift console.
2. In the navigation pane, choose Clusters, and then choose the cluster you want to update.
3. Choose the Properties tab.
4. On the Database configurations panel, choose Edit, and then choose Edit audit logging.
5. For Edit audit logging, choose Turn on, and then select S3 bucket or CloudWatch.
6. Choose Save changes.

To turn on audit logging, run the enable-logging AWS CLI command.

Note: There might be a delay in logs that appear in the S3 bucket or CloudWatch. You can check the Last successful delivery date and time in the cluster properties to check when the log delivery was last performed.

Parameter group for user activity logs

To log the user activity logs, make sure that you set the enable_user_activity_logging parameter to true in the cluster parameter group attached to the Amazon Redshift cluster.

If you turn on audit logging but didn't turn on the enable_user_activity_logging parameter in the parameter group, then the database audit logs store information for only the connection log and user log and the Amazon Redshift doesn't store the user activity log.

Note: If you created an Amazon Redshift cluster, then it's automatically associated with the default parameter group. In this configuration, the enable_user_activity_logging parameter is set to false. The default parameter group itself can't be modified directly.

To turn on the enable_user_activity_logging parameter, create a new parameter group. To set the parameter enable_user_activity_logging to true, modify the parameter group.

To associate the new parameter group to the cluster, complete the following steps:

1. Open the Amazon Redshift console.
2. In the navigation pane, choose Clusters.
3. Select the cluster that you want to modify.
4. Choose Properties.
5. In the Parameter group section, choose Edit.
6. Choose the new parameter group from the list.
7. Choose Save changes.
8. Restart the cluster for the updated parameter values to take effect.
   Note: Changes aren't applied if your cluster restarts during maintenance. For more information, see Amazon Redshift parameter groups.

Turn on audit logging for Amazon Redshift Serverless

Complete the following steps:

1. Open the Amazon Redshift console.
2. In the navigation pane, choose Redshift Serverless, and then choose Serverless dashboard.
3. Select the Namespace that you want to turn on audit logging for.
4. Choose the Security and Encryption tab.
5. For Security and encryption, choose Edit.
6. In Export these logs, select the logs that you want to save in CloudWatch.
7. Choose Save changes.

-or-

Run the following update-namespace AWS CLI command.

aws redshift-serverless update-namespace --namespace-name <namespace> --log-exports userlog connectionlog useractivitylog

Note: Replace <namespace> with the name of your space.

For more information on how to monitor the audit logs, see Log events in CloudWatch.

Related information

Database audit logging

Audit logging for Amazon Redshift Serverless