Skip to main content
MEDIUMRedshiftSecurity

Redshift Audit Logging Disabled

redshift-audit-logging-disabled

What this rule checks

Detects Redshift clusters without audit logging to S3 (connection, user, query activity).

How to fix it

  1. 1Set LoggingProperties with a target S3 bucket and key prefix
FlaggedNo LoggingProperties are configured, so connection, user, and query-activity logs are never delivered to S3 or CloudWatch.
import { Stack, App } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as redshift from 'aws-cdk-lib/aws-redshift';

new redshift.CfnCluster(this, 'Cluster', {
  clusterType: 'single-node',
  dbName: 'analytics',
  masterUsername: 'admin',
  masterUserPassword: '{{resolve:secretsmanager:redshift/admin}}',
  nodeType: 'ra3.xlplus',
  encrypted: true,
  publiclyAccessible: false,
});
FixedConfiguring LoggingProperties with CloudWatch log exports captures connection and user-activity audit trails.
import { Stack, App } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as redshift from 'aws-cdk-lib/aws-redshift';

new redshift.CfnCluster(this, 'Cluster', {
  clusterType: 'single-node',
  dbName: 'analytics',
  masterUsername: 'admin',
  masterUserPassword: '{{resolve:secretsmanager:redshift/admin}}',
  nodeType: 'ra3.xlplus',
  encrypted: true,
  publiclyAccessible: false,
  loggingProperties: { logDestinationType: 'cloudwatch', logExports: ['connectionlog', 'useractivitylog'] },
});

CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.

Affected resource types

AWS::Redshift::Cluster

Compliance frameworks

SOC2HIPAAPCI-DSSNIST

AWS documentation

Read the AWS guidance

Intentional? Suppress this finding

Sometimes a flag is deliberate — a genuinely public endpoint, say. You can dismiss redshift-audit-logging-disabled and the reason is kept in the report, not silently hidden.

In .cdk-insights.json:

{
  "ignoreRules": [
    { "id": "redshift-audit-logging-disabled", "reason": "Why this is intentional" }
  ]
}

Or inline in your CDK code:

Validations.of(scope).acknowledge({
  id: 'cdk-insights::redshift-audit-logging-disabled',
  reason: 'Why this is intentional',
});

Use the rule ID redshift-audit-logging-disabled shown above — not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs →

Catch this in your stack

$ npx cdk-insights scan

CDK Insights runs this and 118+ other rules locally against your synthesised CDK app — free, no account, your code never leaves your machine.

More Redshift rules