Ensure Redshift uses SSL

Error: Redshift does not use SSL

Bridgecrew Policy ID: BC_AWS_GENERAL_75
Checkov Check ID: CKV_AWS_105
Severity: MEDIUM

Redshift does not use SSL

Description

This policy identifies Redshift databases in which data connection to and from is occurring on an insecure channel. SSL connections ensures the security of the data in transit.

Fix - Runtime

AWS Console

  1. Login to the AWS and navigate to the Amazon Redshift service.
  2. Expand the identified Redshift cluster and make a note of the Cluster Parameter Group
  3. In the navigation panel, click on the Parameter group.
  4. Select the identified Parameter Group and click on Edit Parameters.
  5. Review the require_ssl flag. Update the parameter require_ssl to true and save it.
    Note: If the current parameter group is a Default parameter group, it cannot be edited. You will need to create a new parameter group and point it to an affected cluster.

Fix - Buildtime

Terraform

  • Resource: aws_redshift_parameter_group
  • Argument: parameter.require_ssl
resource "aws_redshift_parameter_group" "pass" {
	...
  parameter {
    name  = "require_ssl"
    value = "true"
  }
}

CloudFormation

  • Resource: AWS::Redshift::ClusterParameterGroup
  • Argument: Properties.Parameters
Type: AWS::Redshift::ClusterParameterGroup
    Properties:
      ...
      Parameters:
+       - ParameterName: "require_ssl"
+         ParameterValue: "true"