Amazon Redshift

Redshift User Activity Logging Enabled

Risk Level: Medium

Description

This plugin ensures that user activity logging is enabled for your Amazon Redshift clusters. Activity logging enabled in order to log user activities performed on the clusters. The logs can prove to be beneficial to keep an eye on any unusual activities performed by IAM users.

About the Service

Amazon RedShift: Amazon RedShift is a data warehouse with fast and secure data analyzing features. It is a powerful and robust service powered by Amazon to run SQL queries and even deploy ML (Machine Learning) models on the data. For additional monitoring benefits, it also provides access to real time operational analytics.

Impact

Logs are important for keeping a track of requests made to the Redshift Clusters. It is recommended to regularly keep a close eye on the logs for any unusual activity. In the event of data compromise, generated logs will be useful to identify unusual or unauthorized access. It can eventually lead to the attacker's details. Without logs, the security team will not have any information to begin the investigation. 

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon RedShift Console. You can use this link (https://console.aws.amazon.com/redshiftv2/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Clusters.
  4. A list of clusters will be displayed. Select the cluster you want to examine by clicking on it’s Cluster Name.
  5. Move to the Properties tab.
  6. In the Database Configurations, click on the Parameter group specified. 
  7. Move to the Parameters tab.
  8. Next, check the value of enable_user_activity_logging value. If it is set to false, the vulnerability exists.
  9. Repeat steps for all the clusters you wish to examine.

Steps for Remediation

Update Redshift parameter groups to enable user activity logging.

  1. Log In to your AWS Console.
  2. Open the Amazon RedShift Console. You can use this link (https://console.aws.amazon.com/redshiftv2/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Clusters.
  4. A list of clusters will be displayed. Select the vulnerable cluster by clicking on it’s Cluster Name.
  5. Move to the Properties tab.
  6. In the Database Configurations, click on the Parameter group specified. 
  7. Move to the Parameters tab.
  8. Change the value of enable_user_activity_logging to “true”. Click on Save Changes.
  9. Repeat steps for all the vulnerable clusters.