Redshift clusters should enable SSL/TLS for client connections

redshift
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

Enable the require_ssl parameter for your Amazon Redshift cluster.

Rationale

Redshift clusters that do not require an SSL connection are vulnerable to exploits, such as man-in-the-middle attacks. Securing your connections protects your sensitive and private data.

Remediation

From the console

Amazon Redshift Clusters use AWS Certificate Manager (ACM)] to manage SSL certificates. To configure Redshift parameter groups in the console, follow the Managing parameter groups using the console docs.

From the command line

  1. Run modify-cluster-parameter-group with name of the default parameter group you want to modify and the required parameters for SSL. This returns the group name and status if successful.

modify-cluster-parameter-group.sh

  aws redshift modify-cluster-parameter-group
    --parameter-group-name your-parameter-group
    --parameters ParameterName=require_ssl,ParameterValue=true
  1. Run reboot-cluster with your cluster identifier to enable the configuration changes.