Monitoring and auditing data sharing in Amazon Redshift - Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Monitoring and auditing data sharing in Amazon Redshift

With Amazon Redshift, you can monitor and audit data sharing activities to ensure compliance and security.

By auditing data sharing, producers can track the datashare evolution. For example, auditing helps track when datashares are created, objects are added or removed, and permissions are granted or revoked to Amazon Redshift clusters, Amazon accounts, or Amazon Regions.

In addition to auditing, producers and consumers track datashare usage at various granularities, such as account, cluster, and object levels. For more information about tracking usage and auditing views, see SVL_DATASHARE_CHANGE_LOG and SVL_DATASHARE_USAGE_PRODUCER.

You can monitor datashares by querying system views.

  1. The producer administrator who wants to share data creates an Amazon Redshift datashare. The producer administrator then adds the needed database objects. These might be schemas, tables, and views to the datashare and specifies a list of consumers that the objects to be shared with.

    Use the following system views to see consolidated views for tracking changes to and usage of datashares on producer and/or consumer clusters:

    Use the following system views to see datashare objects and data consumer information for outbound datashares:

  2. The consumer administrators look at the datashares for which they're granted use and review the contents of each datashare by viewing inbound datashares using SVV_DATASHARES.

    To consume shared data, each consumer administrator creates an Amazon Redshift database from the datashare. The administrator then assigns permissions to appropriate users and roles in the consumer cluster. Users and roles can list the shared objects as part of the standard metadata queries by viewing the following metadata system views and can start querying data immediately.

    To view objects of both Amazon Redshift local and shared schemas and external schemas, use the following metadata system views to query them.

When you connect to a consumer database, cross -database discovery is disabled. The metadata system views only return metadata for the shared objects in the datashare associated with the connected database.

Integrating Amazon Redshift data sharing with Amazon CloudTrail

Data sharing is integrated with Amazon CloudTrail. CloudTrail is a service that provides a record of actions taken by a user, a role, or an Amazon service in Amazon Redshift. CloudTrail captures all API calls for data sharing as events. The calls captured include calls from the Amazon CloudTrail console and code calls to the data sharing operations. For more information about Amazon Redshift integration with Amazon CloudTrail, see Logging with CloudTrail.

For more information about CloudTrail, see How CloudTrail works.