Json Yaml Audit Logging Disabled
Description
Detects AWS Redshift clusters defined in CloudFormation templates that have audit logging disabled. Audit logging is a critical security feature that helps track database activities, user actions, and access patterns. Disabled audit logging makes it difficult to investigate security incidents and may violate compliance requirements.
Detection Strategy
• Identifies CloudFormation resource blocks of type 'AWS::Redshift::Cluster'
• Checks if the Redshift cluster resource has logging enabled through the LoggingProperties configuration
• Reports a security finding when a Redshift cluster is configured without audit logging enabled
• Examines both explicit disablement of logging and cases where logging configuration is omitted
Vulnerable code example
Resources:
UnsafeCluster:
Type: "AWS::Redshift::Cluster"
Properties: # Vulnerable: Missing security configurations
AvailabilityZone: "us-east-2d" # Vulnerable: Explicitly setting AZ can reduce fault tolerance✅ Secure code example
Resources:
SafeCluster:
Type: "AWS::Redshift::Cluster"
Properties:
# Use multiple AZs for high availability
NumberOfNodes: 2
AutomatedSnapshotRetentionPeriod: 7
# Enable encryption at rest...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.