Ensure AWS Redshift cluster is encrypted
Error: AWS Redshift cluster not encrypted using CMK
Bridgecrew Policy ID: BC_AWS_GENERAL_25
Checkov Check ID: CKV_AWS_64
Severity: HIGH
AWS Redshift cluster not encrypted
Description
We recommend all data stored in the Redshift cluster is securely encrypted at rest, you can create new encrypted clusters or enable CMK encryption on existing clusters, as AWS says "You can enable encryption when you launch your cluster, or you can modify an unencrypted cluster to use AWS Key Management Service (AWS KMS) encryption"
https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html
Fix - Buildtime
Terraform
- Resource: aws_redshift_cluster
- Argument: encrypted, ensure that this argument is set to true to protect this database.
This change may recreate your cluster.
resource "aws_redshift_cluster" "redshift" {
...
cluster_identifier = "shifty"
+ encrypted = true
kms_key_id = var.kms_key_id
...
}
CloudFormation
- Resource: AWS::Redshift::Cluster
- Argument: Properties.Encrypted
Type: "AWS::Redshift::Cluster"
Properties:
...
+ Encrypted: true
Updated 11 months ago