Ensure RedShift Cluster is encrypted by KMS using a customer managed Key

Error:AWS Redshift Cluster not encrypted using Customer Managed Key

Bridgecrew Policy ID: BC_AWS_GENERAL_108
Checkov Check ID: CKV_AWS_188
Severity: LOW

Ensure RedShift Cluster is encrypted by KMS using a customer managed Key

Description

This is a simple check to ensure that the Cluster is using AWS key management - KMS to encrypt its contents. To resolve add the ARN of your KMS or link on creation of the cluster.

Fix - Buildtime

Terraform

  • Resource: aws_redshift_cluster
  • Argument: kms_key_id. The ARN for the KMS encryption key. When specifying kms_key_id, encrypted needs to be set to true.
resource "aws_redshift_cluster" "pass" {
  cluster_identifier                  = "examplea"
  availability_zone                   = data.aws_availability_zones.available.names[0]
  database_name                       = "mydb"
  master_username                     = "foo_test"
  master_password                     = "Mustbe8characters"
  node_type                           = "dc2.large"
  automated_snapshot_retention_period = 0
  allow_version_upgrade               = false
  skip_final_snapshot                 = true
  encrypted                           = true
 +  kms_key_id                          = aws_kms_key.test.arn
}