Ensure Redshift cluster allow version upgrade by default

Error: Redshift clusters version upgrade is not default

Bridgecrew Policy ID: BC_AWS_GENERAL_70
Checkov Check ID: CKV_AWS_141
Severity: LOW

Redshift clusters version upgrade is not default

Description

With Allow Version Upgrade feature enabled, the Amazon Redshift engine upgrades (also known as major version upgrades) will occur automatically so the data warehouse service engine can get the newest features, bug fixes or the latest security patches released.

Fix - Runtime

CLI Command

  1. Run modify-cluster command (OSX/Linux/UNIX) using the name of the cluster that you want to update as identifier (see Audit section part II, step no. 2) to enable AWS Redshift engine version upgrades for the selected cluster:
aws redshift modify-cluster
	--region us-east-1
	--cluster-identifier cc-cluster
	--allow-version-upgrade
  1. If successful, the command output should return the Redshift cluster new configuration metadata:
{
    "Cluster": {
        "PubliclyAccessible": true,
        "NumberOfNodes": 1,
        "PendingModifiedValues": {},
        "VpcId": "vpc-2eb53422",
        "ClusterVersion": "1.0",
        "AutomatedSnapshotRetentionPeriod": 1,
        "ClusterParameterGroups": [
	   ...
        "AllowVersionUpgrade": true,
	   ...
        "ClusterSubnetGroupName": "default",
        "ClusterSecurityGroups": [],
        "ClusterIdentifier": "cc-cluster",
        "AvailabilityZone": "us-east-1a",
        "NodeType": "ds1.xlarge",
        "ClusterStatus": "available"
    }
}
  1. Repeat step no. 1 and 2 for other Redshift clusters with engine version upgrades disabled, available in the current region.

  2. Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 for other regions.

Fix - Buildtime

Terraform

  • Resource: aws_redshift_cluster
  • Argument: allow_version_upgrade
resource "aws_redshift_cluster" "default" {
  ...
+ allow_version_upgrade = true
}