AWSConfigRemediation-EnableRedshiftClusterAuditLogging - AWS Systems Manager Automation runbook reference

AWSConfigRemediation-EnableRedshiftClusterAuditLogging

Description

The AWSConfigRemediation-EnableRedshiftClusterAuditLogging runbook enables audit logging for the Amazon Redshift cluster you specify.

Run this Automation (console)

Document type

Automation

Owner

Amazon

Platforms

Databases

Parameters

  • AutomationAssumeRole

    Type: String

    Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

  • BucketName

    Type: String

    Description: (Required) The name of the Amazon Simple Storage Service (Amazon S3) bucket you want to upload logs to.

  • ClusterIdentifier

    Type: String

    Description: (Required) The unique identifier of the cluster you want to enable audit logging on.

  • S3KeyPrefix

    Type: String

    Description: (Optional) The Amazon S3 key prefix (subfolder) you want to upload logs to.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

  • ssm:StartAutomationExecution

  • ssm:GetAutomationExecution

  • redshift:DescribeLoggingStatus

  • redshift:EnableLogging

  • s3:GetBucketAcl

  • s3:PutObject

Document Steps

  • aws:branch - Branches based on whether a value was specified for the S3KeyPrefix parameter.

  • aws:executeAwsApi - Enables audit logging on the cluster specified in the ClusterIdentifier parameter.

  • aws:assertAwsResourceProperty - Verifies audit logging was enabled on the cluster.