Cloud Data Warehouse

Redshift Connector

Connect DB Audit to Amazon Redshift for comprehensive query monitoring, user activity tracking, and compliance reporting with native STL/SYS table integration.

Native Deep Integration

STL/SYS Native

Direct access to system tables

CloudWatch Integration

Optional audit log streaming

<1% Performance Impact

Read-only system table queries

What You Can Monitor

Query Monitoring

Track every SQL query with full query text, execution plan, and performance metrics from STL tables.

User Activity Tracking

Monitor user connections, authentication events, and session activity across your cluster.

DDL Change Detection

Detect and alert on schema changes, table modifications, and user/group permission changes.

Data Access Patterns

Analyze which users access which tables and identify unusual query patterns or data exfiltration.

Requirements

Redshift Version All versions supported

Network Access TCP port 5439 (or custom port)

Authentication Database user or IAM authentication

Required Privileges SELECT on STL/SYS tables, pg_catalog

Configuration Reference

Basic Connection

Field	Type	Required	Description
`name`	string	Yes	A unique name to identify this connection
`host`	string	Yes	Redshift cluster endpoint hostname
`port`	number	Yes	Redshift cluster port
`database`	string	Yes	Database name to connect to
`username`	string	Yes	Database username
`password`	password	Yes	Database password (stored encrypted)

SSL Configuration

Field	Type	Default	Description
`ssl_mode`	select	`require`	SSL connection mode
`ssl_ca_cert`	string	`-`	CA certificate for server verification

Log Collection

Field	Type	Default	Description
`log_collection_type`	select	`native_audit`	Method for collecting audit logs
`polling_interval`	number	`60`	Seconds between log collection polls
`history_days`	number	`7`	Days of query history to retain

Log Collection Methods

DB Audit supports multiple methods for collecting audit data from Amazon Redshift.

STL/SYS System Tables

Recommended

Query Redshift's system tables (STL_QUERY, STL_CONNECTION_LOG, SYS_QUERY_HISTORY) for comprehensive audit data.

Detailed query stats

User attribution

Connection tracking

No extra cost

CloudWatch Logs

Collect Redshift audit logs from CloudWatch for centralized log management.

Centralized logging

Long-term retention

Cross-service analysis

Works with audit logging enabled

Create Audit User

Create a dedicated read-only user with access to system tables.

-- Create a dedicated audit user with minimal privileges
-- Connect as admin/superuser

CREATE USER dbaudit_reader PASSWORD 'your_secure_password';

-- Grant access to system tables for audit data
GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO dbaudit_reader;

-- Grant access to STL tables (query history, connections)
GRANT SELECT ON stl_query TO dbaudit_reader;
GRANT SELECT ON stl_querytext TO dbaudit_reader;
GRANT SELECT ON stl_connection_log TO dbaudit_reader;
GRANT SELECT ON stl_ddltext TO dbaudit_reader;
GRANT SELECT ON stl_userlog TO dbaudit_reader;
GRANT SELECT ON stl_wlm_query TO dbaudit_reader;

-- Grant access to SYS views (newer Redshift)
GRANT SELECT ON sys_query_history TO dbaudit_reader;
GRANT SELECT ON sys_query_detail TO dbaudit_reader;
GRANT SELECT ON sys_connection_log TO dbaudit_reader;
GRANT SELECT ON sys_user_history TO dbaudit_reader;

-- Grant access to SVL views
GRANT SELECT ON svl_user_info TO dbaudit_reader;
GRANT SELECT ON svl_statementtext TO dbaudit_reader;

Enable Audit Logging (Optional)

Enable Redshift audit logging to S3 for long-term retention and CloudWatch integration.

-- Enable Redshift audit logging to S3 (optional but recommended)
-- This enables logging to S3 and CloudWatch

-- Via AWS Console:
-- 1. Go to Redshift Console > Clusters > Your Cluster
-- 2. Properties > Audit logging > Modify
-- 3. Enable audit logging and specify S3 bucket

-- Via AWS CLI:
aws redshift modify-cluster \
  --cluster-identifier your-cluster-id \
  --logging-properties \
    "BucketName=your-audit-bucket,S3KeyPrefix=redshift-audit/" \
  --region us-east-1

-- Enable user activity logging (captures full query text)
-- This requires a parameter group change
aws redshift modify-cluster-parameter-group \
  --parameter-group-name your-parameter-group \
  --parameters ParameterName=enable_user_activity_logging,ParameterValue=true

-- Enable connection logging
aws redshift modify-cluster-parameter-group \
  --parameter-group-name your-parameter-group \
  --parameters ParameterName=log_connections,ParameterValue=true

Configure DB Audit Collector

Add your Redshift cluster to the DB Audit configuration.

databases:
  - name: production-redshift
    type: redshift
    host: your-cluster.xxxx.us-east-1.redshift.amazonaws.com
    port: 5439
    database: your_database
    username: dbaudit_reader
    password: ${REDSHIFT_PASSWORD}

    # SSL Configuration (required for Redshift)
    ssl:
      mode: require
      # ca_cert: /etc/dbaudit/certs/redshift-ca.pem  # For verify-ca/verify-full

    # Connection settings
    connect_timeout: 30
    query_timeout: 300

    # Monitoring options
    options:
      track_queries: true
      track_connections: true
      track_ddl: true
      track_user_changes: true
      history_days: 7

Test Connection

Verify your configuration before deploying.

# Test connection with psql
psql -h your-cluster.xxxx.us-east-1.redshift.amazonaws.com \
  -p 5439 -U dbaudit_reader -d your_database \
  -c "SELECT COUNT(*) FROM stl_query WHERE starttime > DATEADD(day, -1, GETDATE());"

# Test with SSL
psql "host=your-cluster.xxxx.us-east-1.redshift.amazonaws.com \
  port=5439 user=dbaudit_reader dbname=your_database sslmode=require" \
  -c "SELECT version();"

# Check audit logging status
aws redshift describe-logging-status \
  --cluster-identifier your-cluster-id \
  --region us-east-1

# Verify DB Audit collector can connect
dbaudit-collector test-connections --config /etc/dbaudit/config.yaml

Compliance Support

DB Audit's Redshift connector helps you meet audit requirements for major compliance frameworks.

SOC 2

Access logging

HIPAA

PHI access audit

PCI DSS

Cardholder data

GDPR

Data access rights

Troubleshooting

Connection refused

Verify the cluster endpoint, port, and security group settings. Ensure the cluster is publicly accessible or the collector is in the same VPC.

Permission denied on STL tables

Grant SELECT permissions on required STL/SYS tables to the audit user. Superuser privileges are not required.

SSL connection error

Redshift requires SSL by default. Use sslmode=require or download the AWS Redshift CA bundle for verify-ca/verify-full.

Next Steps

Configure Alerts & Rules

View All Database Connectors

Ready to Audit Your Redshift Cluster?

Start monitoring your Amazon Redshift data warehouse in minutes with native STL/SYS table integration.

Start Free Trial Contact Sales