Redshift Serverless namespaces should export logs to CloudWatch Logs
Connection and user logs from Redshift Serverless capture who connected, when, and what authentication method was used. Without these logs flowing to CloudWatch, you lose visibility into unauthorized access attempts, lose the ability to trace session activity back to specific users, and can't set up automated alerts on suspicious login patterns.
CloudWatch integration also gives you long-term retention policies and cross-account log aggregation, both of which become critical when investigating incidents days or weeks after they occur.
Retrofit consideration
Enabling log exports on an existing namespace does not cause downtime, but may increase CloudWatch Logs costs depending on query volume.
Implementation
Choose the approach that matches how you manage Terraform.
Use AWS provider resources directly. See docs for the resources involved: aws_redshiftserverless_namespace.
resource "aws_redshiftserverless_namespace" "this" {
admin_user_password = "PofixTest123!"
admin_username = "rsadmin"
db_name = "mydb"
log_exports = ["connectionlog", "userlog"]
namespace_name = "pofix-abc123"
}
What this control checks
The aws_redshiftserverless_namespace resource must include both connectionlog and userlog in its log_exports argument. A passing configuration looks like log_exports = ["connectionlog", "userlog"]. You can also include useractivitylog, but the control only checks for those two. It fails when log_exports is omitted, empty, or missing either required value. No separate CloudWatch Log Group resource is needed in Terraform; AWS creates the log groups under /aws/redshiftserverless/ automatically when export is enabled.
Common pitfalls
Missing one of the two required log types
Setting
log_exports = ["userlog"]withoutconnectionlog(or vice versa) still fails the control. Both must be present. It's tempting to assume one covers the other, but they capture different data: connection logs track authentication events while user logs track user-level DDL and configuration changes.Confusing useractivitylog with userlog
Redshift Serverless supports three log types:
connectionlog,userlog, anduseractivitylog. Theuseractivitylogcaptures SQL statements, which is useful for query auditing but not what this control checks. Including onlyuseractivitylogdoes not satisfy the requirement foruserlog.CloudWatch Logs costs at high connection volume
Namespaces with many short-lived connections (e.g., Lambda-driven query patterns) can generate significant CloudWatch Logs ingestion volume. Set a retention policy on the auto-created log groups using
aws_cloudwatch_log_groupwith a matching name andretention_in_daysto avoid unbounded storage costs.Terraform import requires explicit log_exports in configuration
If
log_exportsis omitted from the Terraform configuration when importing an existing namespace, the nextterraform applywill remove log exports and revert the namespace to a non-compliant state. Always verifylog_exportsis explicitly populated after runningterraform import.
Audit evidence
Config rule evaluation results showing each namespace as COMPLIANT confirm that connectionlog and userlog appear in the namespace log export settings. Screenshots of the namespace detail page ("Data access" or "Logs" tab) showing both types enabled provide visual confirmation. CloudWatch Log Groups under /aws/redshiftserverless/<namespace-name>/connectionlog and /aws/redshiftserverless/<namespace-name>/userlog should exist and contain recent log events. The aws redshift-serverless get-namespace CLI output with a logExports array containing both values is the strongest API-level proof.
Related controls
Tool mappings
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf Control:
redshiftserverless_namespace_export_connection_and_user_log_to_cloudwatchAWS Config Managed Rule:
REDSHIFT_SERVERLESS_PUBLISH_LOGS_TO_CLOUDWATCHPowerpipe Control:
aws_compliance.control.redshiftserverless_namespace_export_connection_and_user_log_to_cloudwatchAWS Security Hub Control:
RedshiftServerless.6
Last reviewed: 2026-03-09