Detection rules › Panther
AWS Redshift Cluster Logging
This policy validates that Redshift Cluster have logging enabled. This includes audit logs.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562 Impair Defenses |
Rule body yaml
AnalysisType: policy
Filename: aws_redshift_cluster_logging.py
PolicyID: "AWS.Redshift.Cluster.Logging"
DisplayName: "AWS Redshift Cluster Logging"
Enabled: true
ResourceTypes:
- AWS.Redshift.Cluster
Reports:
MITRE ATT&CK:
- TA0005:T1562
Tags:
- AWS
- Security Control
- Defense Evasion:Impair Defenses
Severity: Medium
Description: >
This policy validates that Redshift Cluster have logging enabled. This includes audit logs.
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-redshift-cluster-has-logging-enabled
Reference: https://aws.amazon.com/premiumsupport/knowledge-center/logs-redshift-database-cluster/
Tests:
- Name: Logging Disabled
ExpectedResult: false
Resource:
{
"AllowVersionUpgrade": false,
"AutomatedSnapshotRetentionPeriod": 3,
"AvailabilityZone": "us-west-2d",
"ClusterAvailabilityStatus": "Available",
"ClusterCreateTime": "2019-01-01T00:00:00.0100Z",
"ClusterIdentifier": "redshift-cluster-2",
"ClusterNodes":
[
{
"NodeRole": "SHARED",
"PrivateIPAddress": "172.0.0.0",
"PublicIPAddress": "52.0.0.0",
},
],
"ClusterParameterGroups":
[
{
"ClusterParameterStatusList": null,
"ParameterApplyStatus": "in-sync",
"ParameterGroupName": "default.redshift-1.0",
},
],
"ClusterPublicKey": "ssh-rsa abcd+111/222/333/444 Amazon-Redshift\n",
"ClusterRevisionNumber": "8205",
"ClusterSecurityGroups": null,
"ClusterSnapshotCopyStatus": null,
"ClusterStatus": "available",
"ClusterSubnetGroupName": "default",
"ClusterVersion": "1.0",
"DBName": "example",
"DataTransferProgress": null,
"DeferredMaintenanceWindows": null,
"ElasticIpStatus": null,
"ElasticResizeNumberOfNodeOptions": null,
"Encrypted": true,
"Endpoint":
{
"Address": "redshift-cluster-2.abcdefg.us-west-2.redshift.amazonaws.com",
"Port": 5439,
},
"EnhancedVpcRouting": false,
"HsmStatus": null,
"IamRoles": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/abcdefg-111-222-333",
"LoggingStatus":
{
"BucketName": "example-bucket",
"LastFailureMessage": null,
"LastFailureTime": null,
"LastSuccessfulDeliveryTime": "2019-01-01T00:00:00Z",
"LoggingEnabled": false,
"S3KeyPrefix": null,
},
"MaintenanceTrackName": "current",
"ManualSnapshotRetentionPeriod": -1,
"MasterUsername": "awsuser",
"ModifyStatus": null,
"NodeType": "dc2.large",
"NumberOfNodes": 1,
"PendingActions": null,
"PendingModifiedValues":
{
"AutomatedSnapshotRetentionPeriod": null,
"ClusterIdentifier": null,
"ClusterType": null,
"ClusterVersion": null,
"EncryptionType": null,
"EnhancedVpcRouting": null,
"MaintenanceTrackName": null,
"MasterUserPassword": null,
"NodeType": null,
"NumberOfNodes": null,
"PubliclyAccessible": null,
},
"PreferredMaintenanceWindow": "fri:11:30-fri:12:00",
"PubliclyAccessible": true,
"ResizeInfo": null,
"RestoreStatus": null,
"SnapshotScheduleIdentifier": null,
"SnapshotScheduleState": null,
"Tags": null,
"VpcId": "vpc-6aa60b12",
"VpcSecurityGroups": null,
}
- Name: Logging Enabled
ExpectedResult: true
Resource:
{
"AllowVersionUpgrade": false,
"AutomatedSnapshotRetentionPeriod": 3,
"AvailabilityZone": "us-west-2d",
"ClusterAvailabilityStatus": "Available",
"ClusterCreateTime": "2019-01-01T00:00:00.0100Z",
"ClusterIdentifier": "redshift-cluster-2",
"ClusterNodes":
[
{
"NodeRole": "SHARED",
"PrivateIPAddress": "172.0.0.0",
"PublicIPAddress": "52.0.0.0",
},
],
"ClusterParameterGroups":
[
{
"ClusterParameterStatusList": null,
"ParameterApplyStatus": "in-sync",
"ParameterGroupName": "default.redshift-1.0",
},
],
"ClusterPublicKey": "ssh-rsa abcd+111/222/333/444 Amazon-Redshift\n",
"ClusterRevisionNumber": "8205",
"ClusterSecurityGroups": null,
"ClusterSnapshotCopyStatus": null,
"ClusterStatus": "available",
"ClusterSubnetGroupName": "default",
"ClusterVersion": "1.0",
"DBName": "example",
"DataTransferProgress": null,
"DeferredMaintenanceWindows": null,
"ElasticIpStatus": null,
"ElasticResizeNumberOfNodeOptions": null,
"Encrypted": true,
"Endpoint":
{
"Address": "redshift-cluster-2.abcdefg.us-west-2.redshift.amazonaws.com",
"Port": 5439,
},
"EnhancedVpcRouting": false,
"HsmStatus": null,
"IamRoles": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/abcdefg-111-222-333",
"LoggingStatus":
{
"BucketName": "example-bucket",
"LastFailureMessage": null,
"LastFailureTime": null,
"LastSuccessfulDeliveryTime": "2019-01-01T00:00:00Z",
"LoggingEnabled": true,
"S3KeyPrefix": null,
},
"MaintenanceTrackName": "current",
"ManualSnapshotRetentionPeriod": -1,
"MasterUsername": "awsuser",
"ModifyStatus": null,
"NodeType": "dc2.large",
"NumberOfNodes": 1,
"PendingActions": null,
"PendingModifiedValues":
{
"AutomatedSnapshotRetentionPeriod": null,
"ClusterIdentifier": null,
"ClusterType": null,
"ClusterVersion": null,
"EncryptionType": null,
"EnhancedVpcRouting": null,
"MaintenanceTrackName": null,
"MasterUserPassword": null,
"NodeType": null,
"NumberOfNodes": null,
"PubliclyAccessible": null,
},
"PreferredMaintenanceWindow": "fri:11:30-fri:12:00",
"PubliclyAccessible": true,
"ResizeInfo": null,
"RestoreStatus": null,
"SnapshotScheduleIdentifier": null,
"SnapshotScheduleState": null,
"Tags": null,
"VpcId": "vpc-6aa60b12",
"VpcSecurityGroups": null,
}
Detection logic
Condition
LoggingStatus.LoggingEnabled not is_not_null
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
LoggingStatus.LoggingEnabled | is_not_null |