Skip to content

Enable Encryption On Audit Logs S3 Bucket

Description

Amazon Redshift logs information about connections and user activities in your database. These logs help you to monitor the database for security and troubleshooting purposes, which is a process often referred to as database auditing. The logs are stored in Amazon S3 buckets. These provide convenient access with data security features for users who are responsible for monitoring activities in the database.

With Amazon S3 default encryption, you can set the default encryption behavior for an S3 bucket so that all new objects are encrypted when they are stored in the bucket. The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or customer master keys (CMKs) stored in AWS Key Management Service (AWS KMS) (SSE-KMS). However, currently, you can only use Amazon S3-managed keys (SSE-S3) encryption (AES-256) for Amazon Redshift audit logging.

For further information about encrypting Amazon Redshift audit logs S3 buckets, refer to the Amazon Redshift Auditing documentation. Information about encrypting Amazon S3 buckets can be found in the Amazon S3 documentation.

Rationale

Enable encryption on your Amazon S3 bucket where your Amazon Redshift Audit Logs are stored. This will prevent unauthorized access to your logs from third parties.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service redshift

Default Rule

const { isAwsRedshift, getRedshiftClusterS3EncryptionConfiguration } = aws

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if s3 encryption is enabled
 */
function validate(databaseSettings) {
    const s3EncryptionConfig =
        isAwsRedshift(databaseSettings) &&
        getRedshiftClusterS3EncryptionConfiguration(databaseSettings)

    const success = s3EncryptionConfig && s3EncryptionConfig.enabled

    return {
        success
    }
}

// invoke
validate(databaseSettings);