Encryption Customer Key | Vulnerability Database

Redshift clusters should use at rest encryption

Redshift clusters that contain sensitive data or are subject to regulation should be encrypted at rest to prevent data leakage should the infrastructure be compromised.

Impact

Data may be leaked if infrastructure is compromised

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Enable encryption using CMK

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


AWSTemplateFormatVersion: 2010-09-09
Description: Good example of redshift cluster
Resources:
  Queue:
    Type: AWS::Redshift::Cluster
    Properties:
      Encrypted: true
      KmsKeyId: "something"

Enable encryption using CMK

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


 resource "aws_kms_key" "redshift" {
 	enable_key_rotation = true
 }
 
 resource "aws_redshift_cluster" "good_example" {
   cluster_identifier = "tf-redshift-cluster"
   database_name      = "mydb"
   master_username    = "foo"
   master_password    = "Mustbe8characters"
   node_type          = "dc1.large"
   cluster_type       = "single-node"
   encrypted          = true
   kms_key_id         = aws_kms_key.redshift.key_id
 }
 

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#encrypted