Audit Logging Guardrails

Overview

Audit Logging guardrails allow administrators to enable logging on the cluster and databases. With Turbot Guardrails Audit Logging policies, administrators can define where to store the logs depending on the resource. The Audit Logging control can audit or enforce those policies, giving centralized control over data that is stored, such as data subject to compliance or regulatory requirements.

The core Audit Logging policy has a consistent form: {Provider} > {service} > {resource} > Audit Logging

  • AWS > Redshift > Cluster > Audit Logging
  • Azure > PostgreSQL > Server > Audit Logging

Below are the list of allowed values for the Audit Logging policy. Depending on the resource type it can be different. The basic form is:

Skip
Check: Disabled
Check: Enabled
Check: Enabled to Audit Logging > Bucket
Enforce: Disabled
Enforce: Enabled to Audit Logging > Bucket
Check: Audit Logging > *
Enforce: Audit Logging > *
# AWS > Redshift > Cluster > Audit Logging - Skip - Check: Disabled - Check: Enabled - Check: Enabled to Audit Logging > Bucket - Enforce: Disabled - Enforce: Enabled to Audit Logging > Bucket
# Azure > PostgreSQL > Server > Audit Logging - Skip - Check: Audit Logging > * - Enforce: Audit Logging > *

The Audit Logging guardrail for AWS resources has a number of policy sub-settings to determine the attributes of the audit logging check. The format of these policy types is {Provider} > {service} > {resource} > Audit Logging > {Items}:

{Provider} > {service} > {resource} > Audit Logging > User Activity Logging
{Provider} > {service} > {resource} > Audit Logging > Bucket
{Provider} > {service} > {resource} > Audit Logging > Key Prefix

The Audit Logging guardrail for Azure resources have a number of policy sub-settings to determine the attributes of the audit logging check. The format of these policy types is {Provider} > {service} > {resource} > Audit Logging > {Items}:

{Provider} > {service} > {resource} > Audit Logging > Log Checkpoints
{Provider} > {service} > {resource} > Audit Logging > Log Retention Days
{Provider} > {service} > {resource} > Audit Logging > Log Duration
{Provider} > {service} > {resource} > Audit Logging > Log Connections
{Provider} > {service} > {resource} > Audit Logging > Log Disconnections

Policy Types Description

PolicyDescription
{Provider} > {service} > {resource} > Audit LoggingAllows you to check or enforce audit logging requirement for the resource.
{Provider} > {service} > {resource} > Audit Logging > User Activity LoggingDefine the user activity audit logging settings required for the resource.
{Provider} > {service} > {resource} > Audit Logging > BucketThe name of a S3 bucket to which the resource audit logs is stored.
{Provider} > {service} > {resource} > Audit Logging > Key PrefixDefine a folder(Optional) inside S3 bucket to which the resource audit logs is stored.
{Provider} > {service} > {resource} > Audit Logging > Log CheckpointsSets desired value for each checkpoint.
{Provider} > {service} > {resource} > Audit Logging > Log Retention DaysSets the number of days a log file is saved for.
{Provider} > {service} > {resource} > Audit Logging > Log DurationSets the desired value to log the duration of each completed SQL statement.
{Provider} > {service} > {resource} > Audit Logging > Log ConnectionsSets the desired value to log each successful connection.
{Provider} > {service} > {resource} > Audit Logging > Log DisconnectionsSets the desired value to log end of a session, including duration.

Note:

  • The Audit Logging control evaluates and take actions if and only if the parameter group of the cluster is not the default and is not shared with any other cluster. If these conditions are not met, the control is set in the invalid state.
  • The S3 bucket configured to inject the logs must exist in the same region as the cluster and the Redshift service must be allowed write access.