Json Yaml User Activity Logging Disabled
Description
Detects AWS Redshift clusters with disabled user activity logging in CloudFormation templates. When user activity logging is disabled, it reduces audit capabilities and visibility into user actions within the Redshift cluster, potentially impacting security monitoring and compliance requirements.
Detection Strategy
• Identifies CloudFormation resources with type 'AWS::Redshift::ClusterParameterGroup'
• Examines the parameter group configuration to check if user activity logging parameters are disabled
• Reports a vulnerability if the parameter group explicitly disables or fails to enable user activity logging
Vulnerable code example
Resources:
UnsafeRedshiftPG:
Type: 'AWS::Redshift::ClusterParameterGroup'
Properties:
Description: "Unsafe parameter group"
ParameterGroupFamily: "redshift-1.0"
Parameters:
- ParameterName: "enable_user_activity_logging" # Vulnerable: Explicitly disables security logging...✅ Secure code example
Resources:
SafeRedshiftPG:
Type: 'AWS::Redshift::ClusterParameterGroup'
Properties:
Description: "Secure parameter group with logging and WLM controls"
ParameterGroupFamily: "redshift-1.0"
Parameters:
- ParameterName: "enable_user_activity_logging" # Enable audit logging for security tracking...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.