Ensure AWS RedShift Cluster is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)

Error: AWS RedShift Cluster is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)

Bridgecrew Policy ID: BC_AWS_GENERAL_131
Checkov Check ID: CKV_AWS_188
Severity: LOW

AWS RedShift Cluster is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)

Description

This policy identifies RedShift Clusters which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your RedShift Cluster data. It gives you full control over the encrypted data.

Fix - Runtime

TBD

Fix - Buildtime

Terraform

Resource: aws_efs_file_system
Arguments: encrypted

resource "aws_redshift_cluster" "pass" {
  cluster_identifier                  = "examplea"
  availability_zone                   = data.aws_availability_zones.available.names[0]
  database_name                       = "mydb"
  master_username                     = "foo_test"
  master_password                     = "Mustbe8characters"
  node_type                           = "dc2.large"
  automated_snapshot_retention_period = 0
  allow_version_upgrade               = false
  skip_final_snapshot                 = true
  encrypted                           = true
  kms_key_id                          = aws_kms_key.test.arn
}