aws
diff --git a/‎packages/@aws-cdk/aws-redshift/README.md‎
Lines changed: 23 additions & 0 deletions b/‎packages/@aws-cdk/aws-redshift/README.md‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-redshift/lib/cluster.ts‎
Lines changed: 41 additions & 14 deletions b/‎packages/@aws-cdk/aws-redshift/lib/cluster.ts‎
Lines changed: 41 additions & 14 deletions
diff --git a/‎packages/@aws-cdk/aws-redshift/package.json‎
Lines changed: 1 addition & 0 deletions b/‎packages/@aws-cdk/aws-redshift/package.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-redshift/test/cluster-loggingbucket.integ.snapshot/LoggingBucketIntegDefaultTestDeployAssert2827ECC1.template.json‎
Lines changed: 1 addition & 0 deletions b/‎packages/@aws-cdk/aws-redshift/test/cluster-loggingbucket.integ.snapshot/LoggingBucketIntegDefaultTestDeployAssert2827ECC1.template.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-redshift/test/cluster-loggingbucket.integ.snapshot/aws-cdk-redshift-cluster-loggingbucket.assets.json‎
Lines changed: 19 additions & 0 deletions b/‎packages/@aws-cdk/aws-redshift/test/cluster-loggingbucket.integ.snapshot/aws-cdk-redshift-cluster-loggingbucket.assets.json‎
Lines changed: 19 additions & 0 deletions
@@ -45,6 +45,29 @@ A default database named `default_db` will be created in the cluster. To change
 By default, the cluster will not be publicly accessible.
 Depending on your use case, you can make the cluster publicly accessible with the `publiclyAccessible` property.
 
+## Adding a logging bucket for database audit logging to S3
+
+Amazon Redshift logs information about connections and user activities in your database. These logs help you to monitor the database for security and troubleshooting purposes, a process called database auditing. To send these logs to an S3 bucket, specify the `loggingProperties` when creating a new cluster.
+
+```ts
+import * as ec2 from '@aws-cdk/aws-ec2';
+import * as s3 from '@aws-cdk/aws-s3';
+
+const vpc = new ec2.Vpc(this, 'Vpc');
+const bucket = s3.Bucket.fromBucketName(stack, 'bucket', 'logging-bucket');
+
+const cluster = new Cluster(this, 'Redshift', {
+  masterUser: {
+    masterUsername: 'admin',
+  },
+  vpc,
+  loggingProperties: {
+    loggingBucket = bucket,
+    loggingKeyPrefix: 'prefix',
+  }
+});
+```
+
 ## Connecting
 
 To control who can access the cluster, use the `.connections` attribute. Redshift Clusters have
 
@@ -95,6 +95,24 @@ export interface Login {
   readonly encryptionKey?: kms.IKey;
 }
 
+/**
+ * Logging bucket and S3 prefix combination
+ */
+export interface LoggingProperties {
+  /**
+   * Bucket to send logs to.
+   * Logging information includes queries and connection attempts, for the specified Amazon Redshift cluster.
+   *
+   */
+  readonly loggingBucket: s3.IBucket
+
+  /**
+   * Prefix used for logging.
+   *
+   */
+  readonly loggingKeyPrefix: string
+}
+
 /**
  * Options to add the multi user rotation
  */
@@ -294,19 +312,11 @@ export interface ClusterProps {
   readonly defaultDatabaseName?: string;
 
   /**
-   * Bucket to send logs to.
-   * Logging information includes queries and connection attempts, for the specified Amazon Redshift cluster.
-   *
-   * @default - No Logs
-   */
-  readonly loggingBucket?: s3.IBucket
-
-  /**
-   * Prefix used for logging
+   * Bucket details for log files to be sent to, including prefix.
    *
-   * @default - no prefix
+   * @default - No logging bucket is used
    */
-  readonly loggingKeyPrefix?: string
+  readonly loggingProperties?: LoggingProperties;
 
   /**
    * The removal policy to apply when the cluster and its instances are removed
@@ -475,11 +485,28 @@ export class Cluster extends ClusterBase {
     this.multiUserRotationApplication = secretsmanager.SecretRotationApplication.REDSHIFT_ROTATION_MULTI_USER;
 
     let loggingProperties;
-    if (props.loggingBucket) {
+    if (props.loggingProperties) {
       loggingProperties = {
-        bucketName: props.loggingBucket.bucketName,
-        s3KeyPrefix: props.loggingKeyPrefix,
+        bucketName: props.loggingProperties.loggingBucket.bucketName,
+        s3KeyPrefix: props.loggingProperties.loggingKeyPrefix,
       };
+      props.loggingProperties.loggingBucket.addToResourcePolicy(
+        new iam.PolicyStatement(
+          {
+            actions: [
+              's3:GetBucketAcl',
+              's3:PutObject',
+            ],
+            resources: [
+              props.loggingProperties.loggingBucket.arnForObjects('*'),
+              props.loggingProperties.loggingBucket.bucketArn,
+            ],
+            principals: [
+              new iam.ServicePrincipal('redshift.amazonaws.com'),
+            ],
+          },
+        ),
+      );
     }
 
     const cluster = new CfnCluster(this, 'Resource', {
 
@@ -85,6 +85,7 @@
     "@aws-cdk/integ-runner": "0.0.0",
     "@aws-cdk/cfn2ts": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",
+    "@aws-cdk/integ-tests": "0.0.0",
     "@types/jest": "^27.5.2",
     "aws-sdk": "^2.848.0",
     "jest": "^27.5.1"
 
@@ -0,0 +1 @@
+{}
@@ -0,0 +1,19 @@
+{
+  "version": "20.0.0",
+  "files": {
+    "941d95acb9a710e3df3e05301e7debabdecabed59c6b395b0265d4d3be632c5f": {
+      "source": {
+        "path": "aws-cdk-redshift-cluster-loggingbucket.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "941d95acb9a710e3df3e05301e7debabdecabed59c6b395b0265d4d3be632c5f.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}