Summary Prerequisites and limitations Architecture Tools Epics Related resources Attachments

Visualize Amazon Redshift audit logs using Amazon Athena and Amazon QuickSight

Created by Sanket Sirsikar (AWS) and Gopal Krishna Bhatia (AWS)

Environment: PoC or pilot

Technologies: Analytics; Big data; Data lakes

AWS services: Amazon Athena; Amazon Redshift; Amazon S3; Amazon QuickSight

Summary

Security is an integral part of database operations on the Amazon Web Services (AWS) Cloud. Your organization should ensure that it monitors database user activities and connections to detect potential security incidents and risks. This pattern helps you monitor your databases for security and troubleshooting purposes, which is a process known as database auditing.

This pattern provides a SQL script that automates the creation of an Amazon Athena table and views for a reporting dashboard in Amazon QuickSight that helps you audit Amazon Redshift logs. This ensures that users responsible for monitoring database activities have convenient access to data security features.

Prerequisites and limitations

Prerequisites

An active AWS account.
An existing Amazon Redshift cluster. For more information about this, see Create an Amazon Redshift cluster in the Amazon Redshift documentation.
Access to an existing Athena workgroup. For more information, see How workgroups work in the Amazon Athena documentation.
An existing Amazon Simple Storage Service (Amazon S3) source bucket with the required AWS Identity and Access Management (IAM) permissions. For more information, see Bucket permissions for Amazon Redshift audit logging from Database audit logging in the Amazon Redshift documentation.

Architecture

Technology stack

Athena
Amazon Redshift
Amazon S3
QuickSight

Tools

Amazon Athena – Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL.
Amazon QuickSight – QuickSight is a scalable, serverless, embeddable, machine learning-powered business intelligence (BI) service.
Amazon Redshift – Amazon Redshift is an enterprise-level, petabyte scale, fully managed data warehousing service.
Amazon S3 – Amazon Simple Storage Service (Amazon S3) is storage for the internet.

Epics

Task Description Skills required

Enable audit logging for the Amazon Redshift cluster.

Task	Description	Skills required
Enable audit logging for the Amazon Redshift cluster.	Sign in to the AWS Management Console, open the Amazon Redshift console, choose CLUSTERS, and then choose the cluster that you want to enable logging for. Choose the Properties tab and then enable auditing by following the instructions from Configuring auditing using the console in the Amazon Redshift documentation.	DBA, Data engineer
Enable logging in the Amazon Redshift cluster parameter group.	You can enable auditing of connection logs, user logs, and user activity logs at the same time by using the AWS Management Console, the Amazon Redshift API reference, or AWS Command Line Interface (AWS CLI). For auditing of user activity logs, you must enable the `enable_user_activity_logging` database parameter. If you only enable the audit logging feature but not the associated parameter, the database audit logs the logging information for the connection and user logs but not for the user activity logs. The `enable_user_activity_logging` parameter is not enabled by default, but you can enable it by changing it from `false` to `true`. Important: You need to create a new cluster parameter group with the `user_activity_logging` parameter enabled and attach it to your Amazon Redshift cluster. For more information about this, see Modifying a cluster in the Amazon Redshift documentation. For more information about this task, see Amazon Redshift parameter groups and Configuring auditing using the console in the Amazon Redshift documentation.	DBA, Data engineer
Configure S3 bucket permissions for Amazon Redshift cluster logging.	When you enable logging, Amazon Redshift collects logging information and uploads it to log files stored in an S3 bucket. You can use an existing S3 bucket or create a new bucket. Important: Make sure that Amazon Redshift has the required IAM permissions to access the S3 bucket. For more information about this, see Bucket permissions for Amazon Redshift audit logging from Database audit logging in the Amazon Redshift documentation.	DBA, Data engineer

Sign in to the AWS Management Console, open the Amazon Redshift console, choose CLUSTERS, and then choose the cluster that you want to enable logging for.
Choose the Properties tab and then enable auditing by following the instructions from Configuring auditing using the console in the Amazon Redshift documentation.

DBA, Data engineer

Enable logging in the Amazon Redshift cluster parameter group.

You can enable auditing of connection logs, user logs, and user activity logs at the same time by using the AWS Management Console, the Amazon Redshift API reference, or AWS Command Line Interface (AWS CLI).

For auditing of user activity logs, you must enable the enable_user_activity_logging database parameter. If you only enable the audit logging feature but not the associated parameter, the database audit logs the logging information for the connection and user logs but not for the user activity logs. The enable_user_activity_logging parameter is not enabled by default, but you can enable it by changing it from false to true.

Important: You need to create a new cluster parameter group with the user_activity_logging parameter enabled and attach it to your Amazon Redshift cluster. For more information about this, see Modifying a cluster in the Amazon Redshift documentation.

For more information about this task, see Amazon Redshift parameter groups and Configuring auditing using the console in the Amazon Redshift documentation.

DBA, Data engineer

Configure S3 bucket permissions for Amazon Redshift cluster logging.

When you enable logging, Amazon Redshift collects logging information and uploads it to log files stored in an S3 bucket. You can use an existing S3 bucket or create a new bucket.

Important: Make sure that Amazon Redshift has the required IAM permissions to access the S3 bucket. For more information about this, see Bucket permissions for Amazon Redshift audit logging from Database audit logging in the Amazon Redshift documentation.

DBA, Data engineer

Task Description Skills required

Create the Athena table and views to query Amazon Redshift audit log data from the S3 bucket.

Task	Description	Skills required
Create the Athena table and views to query Amazon Redshift audit log data from the S3 bucket.	Open the Amazon Athena console and use the data definition language (DDL) query from the `AuditLogging.sql` SQL script (attached) to create the table and views for user activity logs, user logs, and connection logs. For more information and instructions, see the Create tables and run queries tutorial from the Amazon Athena Workshop.	Data engineer

Open the Amazon Athena console and use the data definition language (DDL) query from the AuditLogging.sql SQL script (attached) to create the table and views for user activity logs, user logs, and connection logs.

For more information and instructions, see the Create tables and run queries tutorial from the Amazon Athena Workshop.

Data engineer

Task	Description	Skills required
Create a QuickSight dashboard using Athena as the data source.	Open the Amazon QuickSight console and create a QuickSight dashboard by following the instructions in the Visualize with QuickSight using Athena tutorial from the Amazon Athena Workshop.	DBA, Data engineer

Related resources

Attachments

attachment.zip

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Three AWS Glue job types for converting data

More patterns