AWSConfigRemediation-EnableRedshiftClusterAuditLogging - Amazon Systems Manager Automation runbook reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).



The AWSConfigRemediation-EnableRedshiftClusterAuditLogging runbook enables audit logging for the Amazon Redshift cluster you specify.

Run this Automation (console)

Document type







  • AutomationAssumeRole

    Type: String

    Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

  • BucketName

    Type: String

    Description: (Required) The name of the Amazon Simple Storage Service (Amazon S3) bucket you want to upload logs to.

  • ClusterIdentifier

    Type: String

    Description: (Required) The unique identifier of the cluster you want to enable audit logging on.

  • S3KeyPrefix

    Type: String

    Description: (Optional) The Amazon S3 key prefix (subfolder) you want to upload logs to.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

  • ssm:StartAutomationExecution

  • ssm:GetAutomationExecution

  • redshift:DescribeLoggingStatus

  • redshift:EnableLogging

  • s3:GetBucketAcl

  • s3:PutObject

Document Steps

  • aws:branch - Branches based on whether a value was specified for the S3KeyPrefix parameter.

  • aws:executeAwsApi - Enables audit logging on the cluster specified in the ClusterIdentifier parameter.

  • aws:assertAwsResourceProperty - Verifies audit logging was enabled on the cluster.