Ensure AWS Redshift cluster is encrypted

Error: AWS Redshift cluster not encrypted using CMK

Bridgecrew Policy ID: BC_AWS_GENERAL_25
Checkov Check ID: CKV_AWS_64
Severity: HIGH

AWS Redshift cluster not encrypted

Description

We recommend all data stored in the Redshift cluster is securely encrypted at rest, you can create new encrypted clusters or enable CMK encryption on existing clusters, as AWS says "You can enable encryption when you launch your cluster, or you can modify an unencrypted cluster to use AWS Key Management Service (AWS KMS) encryption"
https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html

Fix - Buildtime

There is no runtime fix, no clusters can be created encrypted or modified to use a CMK.

Fix - Buildtime

Terraform

  • Resource: aws_redshift_cluster
  • Argument: encrypted, ensure that this argument is set to true to protect this database.

This change may recreate your cluster.

resource "aws_redshift_cluster" "redshift" {
  ...
  cluster_identifier        = "shifty"
+ encrypted                 = true
  kms_key_id                = var.kms_key_id
  ...
}

CloudFormation

  • Resource: AWS::Redshift::Cluster
  • Argument: Properties.Encrypted
Type: "AWS::Redshift::Cluster"
    Properties:
      ...
+     Encrypted: true