Ensure AWS Redshift cluster is encrypted

Error: AWS Redshift cluster not encrypted using CMK

Bridgecrew Policy ID: BC_AWS_GENERAL_25
Checkov Check ID: CKV_AWS_64
Severity: HIGH

AWS Redshift cluster not encrypted


We recommend all data stored in the Redshift cluster is securely encrypted at rest, you can create new encrypted clusters or enable CMK encryption on existing clusters, as AWS says "You can enable encryption when you launch your cluster, or you can modify an unencrypted cluster to use AWS Key Management Service (AWS KMS) encryption"

Fix - Buildtime


  • Resource: aws_redshift_cluster
  • Argument: encrypted, ensure that this argument is set to true to protect this database.

This change may recreate your cluster.

resource "aws_redshift_cluster" "redshift" {
  cluster_identifier        = "shifty"
+ encrypted                 = true
  kms_key_id                = var.kms_key_id


  • Resource: AWS::Redshift::Cluster
  • Argument: Properties.Encrypted
Type: "AWS::Redshift::Cluster"
+     Encrypted: true