Ensure Redshift uses SSL

ID

redshift_uses_ssl

Severity

high

Vendor

AWS

Resource

Redshift

Tags

reachable

Description

An Amazon Redshift data warehouse is a collection of computing resources called nodes, which are organized into a group called a cluster. Each cluster runs an Amazon Redshift engine and contains one or more databases.

Enforcing SSL connections between your database server and your client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and your application.

Examples

CloudFormation

{
  "Resources": {
    "MyRedshiftCluster": { (1)
      "Type": "AWS::Redshift::ClusterParameterGroup",
      "Properties": {
        "Description": "parameter group",
        "ParameterGroupFamily": "redshift-1.0"
      }
    }
  }
}
1 Missing require_ssl parameter means SSL is NOT enabled. 
Resources:
  MyRedshiftCluster: (1)
    Type: AWS::Redshift::ClusterParameterGroup
    Properties:
      Description: parameter group
      ParameterGroupFamily: redshift-1.0
1 Missing require_ssl parameter means SSL is NOT enabled.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "MyRedshiftCluster": {
      "Type": "AWS::Redshift::ClusterParameterGroup",
      "Properties": {
        "Description": "parameter group",
        "ParameterGroupFamily": "redshift-1.0",
        "Parameters": [
          {
            "ParameterName": "require_ssl", (1)
            "ParameterValue": "true" (2)
          }
        ]
      }
    }
  }
}
1 require_ssl parameter set to <2> true means SSL is enabled. 
Resources:
  MyRedshiftCluster:
    Type: AWS::Redshift::ClusterParameterGroup
    Properties:
      Description: parameter group
      ParameterGroupFamily: redshift-1.0
      Parameters:
        - ParameterName: "require_ssl" (1)
          ParameterValue: "true" (2)
1 require_ssl parameter set to <2> true means SSL is enabled.

Runtime

AWS Console

To enforce SSL go to the Amazon Redshift Console:

  • Expand the identified Redshift cluster and make a note of the Cluster Parameter Group.

  • In the navigation panel, click on the Parameter group.

  • Select the identified Parameter Group and click on Edit Parameters.

  • Update the parameter require_ssl to true.

  • Click Save.