Ensure Redshift cluster encryption at rest is enabled

redshift_cluster_encryption_disabled

Severity

critical

Vendor

AWS

Resource

Redshift

Description

An Amazon Redshift data warehouse is a collection of computing resources called nodes, which are organized into a group called a cluster. Each cluster runs an Amazon Redshift engine and contains one or more databases.

Amazon Redshift optionally encrypts your data as it writes it in its data centers and decrypts it for you when you access it.

To provide an additional layer of data protection to secure your data from unauthorized access, it’s recommended to enable encryption at rest.

Learn more about this topic at Redshift encryption at rest.

Examples

CloudFormation

{
  "Resources": {
    "RedshiftCluster": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "DBName": "mydb",
        "MasterUsername": "master",
        "MasterUserPassword": "MasterUserPassword",
        "NodeType": "ds2.xlarge",
        "ClusterType": "single-node",
        "Encrypted": false (1)
      }
    }
  }
}

1	`Encrypted` set to `false` means encryption is not enabled.

Resources:
  RedshiftCluster:
    Type: "AWS::Redshift::Cluster"
    Properties:
      DBName: "mydb"
      MasterUsername: "master"
      MasterUserPassword: "MasterUserPassword"
      NodeType: "ds2.xlarge"
      ClusterType: "single-node"
      Encrypted: false (1)

1	`Encrypted` set to `false` means encryption is not enabled.

Terraform

resource "aws_redshift_cluster" {
  cluster_identifier                  = "examplea"
  availability_zone                   = data.aws_availability_zones.available.names[0]
  database_name                       = "mydb"
  node_type                           = "dc2.large"
  automated_snapshot_retention_period = 0
  allow_version_upgrade               = false
  skip_final_snapshot                 = true
  encrypted                           = false  (1)

}

1	Ensure the encrypted attribute is set to True.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "RedshiftCluster": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "DBName": "mydb",
        "MasterUsername": "master",
        "MasterUserPassword": "MasterUserPassword",
        "NodeType": "ds2.xlarge",
        "ClusterType": "single-node",
        "Encrypted": true (1)
      }
    }
  }
}

1	`Encrypted` set to `true` means encryption is enabled.

Resources:
  RedshiftCluster:
    Type: "AWS::Redshift::Cluster"
    Properties:
      DBName: "mydb"
      MasterUsername: "master"
      MasterUserPassword: "MasterUserPassword"
      NodeType: "ds2.xlarge"
      ClusterType: "single-node"
      Encrypted: true (1)

1	`Encrypted` set to `true` means encryption is enabled.

Terraform

resource "aws_redshift_cluster" {
  cluster_identifier                  = "examplea"
  availability_zone                   = data.aws_availability_zones.available.names[0]
  database_name                       = "mydb"
  node_type                           = "dc2.large"
  automated_snapshot_retention_period = 0
  allow_version_upgrade               = false
  skip_final_snapshot                 = true
  encrypted                           = true
  kms_key_id                          = aws_kms_key (1)
}

1	If using AWS Key Management Service, ensure to add a kms_key_id.