Ensure AWS Redshift instances are encrypted

AWS Redshift instances should be encrypted at rest to help protecting sensitive data from breaches.

Risk Level: High
Cloud Entity: Amazon Redshift
CloudGuard Rule ID: D9.AWS.CRY.34
Category: Database

GSL LOGIC

Redshift should have dataEncrypted=true

REMEDIATION

From Portal
Following steps will enable encryption for the desired redshift cluster:

  1. Login to the AWS Management Console.
  2. Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.
  3. In the navigation panel, under Redshift Dashboard, click 'Clusters'.
  4. Choose the Redshift cluster that you want to modify encryption settings and click on 'Properties' tab.
  5. Verify the Encryption status (Disabled/enabled) under the Cluster Properties.
  6. Click on 'Edit' tab on the right side and go to edit encryption.
  7. Select the desired encryption type and save it.

From TF

resource "aws_redshift_cluster" "test" {
	cluster_identifier = "tf-redshift-cluster"
	database_name      = "mydb"
	master_username    = "foo"
	master_password    = "Mustbe8characters"
	node_type          = "dc1.large"
	cluster_type       = "single-node"
	+ encrypted          = true
}

From Command Line
To turn on encryption for Redshift cluster

aws redshift modify-cluster --cluster-identifier PUT_VALUE --encrypted

References

  1. https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#create-cluster
  2. https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/modify-cluster.html

Amazon Redshift

Amazon Redshift is a fast, fully managed data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and your existing Business Intelligence (BI) tools. It allows you to run complex analytic queries against petabytes of structured data, using sophisticated query optimization, columnar storage on high-performance local disks, and massively parallel query execution. Most results come back in seconds. With Amazon Redshift, you can start small for just $0.25 per hour with no commitments and scale out to petabytes of data for $1,000 per terabyte per year, less than a tenth the cost of traditional solutions.

Compliance Frameworks

  • AWS CCPA Framework
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS Dashboard System Ruleset
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management