HIGH
Source
Trivy/CSPM
CSPM ID
redshift-cluster-cmk-encryption
ID
AVD-AWS-0084

Redshift clusters should use at rest encryption

Redshift clusters that contain sensitive data or are subject to regulation should be encrypted at rest to prevent data leakage should the infrastructure be compromised.

Impact

Data may be leaked if infrastructure is compromised

Follow the appropriate remediation steps below to resolve the issue.

Enable encryption using CMK

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
AWSTemplateFormatVersion: 2010-09-09
Description: Bad example of redshift cluster
Resources:
  Queue:
    Type: AWS::Redshift::Cluster
    Properties:
      Encrypted: true
      KmsKeyId: "something"
  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for Redshift. Step
  3. Scroll down the left navigation panel and choose “Clusters”. Step
  4. Select the “Cluster” that needs to be verified and click on its identifier(name) from the “Cluster” column.Step
  5. Scroll down the “Cluster” configuration page and check the “Encrypted” option under the “Cluster Database Properties”. If current status is set to “No” then the data stored on the cluster is not encrypted.Step
  6. Repeat steps number 2 - 5 to verify other clusters.
  7. Scroll down the left navigation panel and choose “Clusters” and click on “Quick launch cluster” button at the top menu to start a new cluster process. Step
  8. Select the “Node type” from the dropdown menu and select the number of “Nodes” in the cluster.Step
  9. Provide a unique “Cluster identifier (name)” to a new cluster and choose the “Master user password” and “Confirm password” of new cluster.Step
  10. Under the “Launch your Amazon Redshift cluster - Advanced settings” select the “Database encryption” to “KMS” and select the “Master key” from dropdown menu. Step
  11. Click on the “Continue” button at the bottom of the configuration page. Step
  12. Review the new cluster configuration and click on the “Launch configuration” button at the bottom to launch a new cluster.Step
  13. Once the new “Cluster Status” value changes to available and the “DB Health” status changes to healthy, the new cluster can used to load the existing data using Amazon Redshift Unload/Copy utility from unencrypted cluster to encrypted cluster.Step
  14. Once the data migraton process is completed from unencrypted cluster to the new encrypted cluser delete the old unecncrypted cluster.
  15. Select the older unecncyrpted cluster and click on the “Cluster” dropdown menu at the top and click on the “Delete” option. Step
  16. On the “Delete Cluster” tab click on the “Delete” button to delete the unencrypted cluster.Step

Enable encryption using CMK

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
resource "aws_kms_key" "redshift" {
  enable_key_rotation = true
}

resource "aws_redshift_cluster" "good_example" {
  cluster_identifier = "tf-redshift-cluster"
  database_name      = "mydb"
  master_username    = "foo"
  master_password    = "Mustbe8characters"
  node_type          = "dc1.large"
  cluster_type       = "single-node"
  encrypted          = true
  kms_key_id         = aws_kms_key.redshift.key_id
}