Skip to content

User Activity Logging Is Disabled

Description

Amazon Redshift user activity logging logs all queries before they are executed. This level of detail assists in debugging, and incident response. If this category of logging is enabled, sensitive data may be recorded in the logs. Check that the container where the logs are kept has proper access controls.

If the query data is highly sensitive, and the access controls on the logs are not tightly controlled, then user activity logging should be disabled. If the query data is less sensitive, and the value of having more detailed information for access monitoring is high, then user activity logging should be enabled.

For detailed documentation on Amazon Redshift logging refer to this link.

Rationale

If the query information is highly sensitive, and sending detailed queries to logging would represent an information leak, User Activity Logging should not be enabled.

Enable User Activity logging for a detailed record of all actions taken on the database. The query information will allow access monitoring to be most effective, and will help support incident response forensic investigations.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service redshift

Default Rule

const { isAwsRedshift, getRedshiftClusterParameter, getRedshiftClusterLoggingStatus } = aws

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if 'enable_user_activity_logging' parameter is true
 */
function validate(databaseSettings) {
    const parameterName = "enable_user_activity_logging"
    const loggingStatus = isAwsRedshift(databaseSettings) && getRedshiftClusterLoggingStatus(databaseSettings)
    const param = loggingStatus &&
        loggingStatus.loggingEnabled &&
        getRedshiftClusterParameter(databaseSettings, parameterName)

    const success = param && param.parameterValue === "true"

    return {
        success
    }
}

// invoke
validate(databaseSettings);