How to Audit Access in Amazon Redshift

Galaxy Glossary

How do I audit user logins and table access in Amazon Redshift?

Audit access in Amazon Redshift by enabling user-activity logging and querying STL/SVL system tables to see who logged in and which tables they touched.

Sign up for the latest in SQL knowledge from the Galaxy Team!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Description

What is Redshift access auditing?

Redshift access auditing captures login events and query activity so you can see who accessed what data and when.

How do I enable audit logging in Amazon Redshift?

Set enable_user_activity_logging = true in the cluster parameter group, configure an S3 log destination, then reboot. Redshift starts writing connection, user, and query logs to STL tables and copies them to S3 every five minutes.

Which system tables record access events?

stl_connection_log stores successful logins, stl_userlog captures failed logins, svl_qlog details table-level reads/writes, and svl_statementtext holds full SQL text. Join these tables for complete visibility.

How can I list the last 24 hours of logins?

SELECT event_time, username, remotehost, ssl FROM stl_connection_log WHERE event_time >= dateadd('hour',-24,current_timestamp) ORDER BY event_time DESC;

How can I find who queried the Customers table?

SELECT username,starttime,query FROM svl_qlog WHERE tbl = (SELECT oid FROM pg_table_def WHERE tablename='customers') AND starttime >= dateadd('day',-1,current_timestamp);

Example: detect abnormal reads on customer emails

The query below groups yesterday’s reads on Customers so you can spot outliers quickly.

Best practices for Redshift access auditing

Unload or copy audit logs to S3 daily, retain at least 90 days, monitor stl_userlog for repeated failures, and stream logs to CloudWatch/SIEM for real-time alerts.

Common mistakes

Not enabling logging: STL/SVL tables stay empty. Fix by turning on enable_user_activity_logging and rebooting.

Ignoring retention: STL tables purge after a few days. Schedule nightly UNLOAD jobs or automate S3 exports.

Need a faster way?

Galaxy’s AI copilot can generate these audit queries instantly, let you endorse them in Collections, and share with security teams—no more copy-pasting SQL in Slack.

Why How to Audit Access in Amazon Redshift is important

How to Audit Access in Amazon Redshift Example Usage


-- Who read the Customers table in the last 24 hours?
SELECT username, COUNT(*) AS query_count
FROM svl_qlog
WHERE tbl = (SELECT oid FROM pg_table_def WHERE tablename='customers')
  AND starttime >= dateadd('day',-1,current_timestamp)
GROUP BY username
ORDER BY query_count DESC;

How to Audit Access in Amazon Redshift Syntax


-- Enable user-activity logging
ALTER SYSTEM SET enable_user_activity_logging = true;

-- View logins
SELECT event_time, username, remotehost, ssl, pid
FROM stl_connection_log
WHERE event = 'authentication';

-- View table-level access for ecommerce data
SELECT username, starttime, query
FROM svl_qlog
WHERE tbl IN (SELECT oid FROM pg_table_def WHERE tablename IN ('customers','orders','orderitems'));

-- Export audit data older than 7 days
UNLOAD ('SELECT * FROM stl_connection_log WHERE recordtime < dateadd(day,-7,current_date)')
TO 's3://my-audit-bucket/redshift/'
IAM_ROLE 'arn:aws:iam::123456789012:role/RedshiftUnload';

Common Mistakes

Frequently Asked Questions (FAQs)

Does auditing slow down my Redshift cluster?

Minimal impact. Logging writes lightweight metadata asynchronously. Query performance remains unchanged for typical workloads.

How long does Redshift retain audit logs?

STL/SVL tables keep 2–5 days depending on cluster size. S3 copies persist until you delete or lifecycle-expire them.

Can I stream audit logs to CloudWatch?

Yes. Configure Redshift to export logs to CloudWatch via the console or AWS CLI for centralized monitoring and alerting.

Want to learn about other SQL terms?

dbt tests

dbt tests are declarative assertions in dbt that automatically validate data quality during model builds.

dbt utils

dbt utils is a community-maintained dbt package that adds time-saving utility macros for analytics engineers, such as generating surrogate keys, safely unioning models, and automating date spines.

dbt Tutorial Glossary: Build, Test & Deploy SQL Models

dbt is an open-source framework that lets data teams transform raw warehouse tables into tested, documented, production-ready datasets using version-controlled SQL.

Company
BlogFeaturesPricingAboutCareersFeature Requests
Resources
Resource LibraryDocsSupportBrand Kit
Explore
Product TourData Job BoardRecruitersConsultantsStartup ToolsMemes
Learn
Learn SQLBeginner ResourcesData ToolsSQL Interview PrepCommon ErrorsSQL OptimizationSQL In Other LanguagesGlossary
Comparisons
DatagripTablePlusDBeaverBeekeeper StudiopgAdminMySQL WorkbenchSQL Server Management StudioPosticoDbVisualizerNao LabsCursor
HexBrieferPopSQLSherloqBlazeSQLSweep AIWaii AIOuterbase
© 2025 Galaxy Software Inc.
hello@getgalaxy.io
Terms of ServicePrivacy PolicySecurity
Reddit IconProduct Hunt IconTwitter / X IconLinkedIn Icon