--- title: Redshift cluster without a KMS CMK description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Redshift cluster without a KMS CMK --- # Redshift cluster without a KMS CMK {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-redshift-cluster-without-kms-cmk` **Provider:** AWS **Platform:** CloudFormation **Severity:** Medium **Category:** Encryption #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) ### Description{% #description %} Redshift clusters should specify a customer-managed AWS KMS key (`KmsKeyId`) to maintain control over encryption of data at rest and snapshots. Without a customer-managed CMK, you lose control over key rotation, access policies, and the ability to revoke or share keys. In AWS CloudFormation, the `KmsKeyId` property must be defined on `AWS::Redshift::Cluster` resources and set to the ARN or key ID of a customer-managed KMS key. Resources missing this property will be flagged because they may rely on AWS-managed keys or lack explicit encryption controls. Secure configuration example (CloudFormation YAML): ```yaml MyRedshiftCluster: Type: AWS::Redshift::Cluster Properties: ClusterType: single-node NodeType: dc2.large DBName: dev MasterUsername: masteruser MasterUserPassword: ReplaceWithSecurePassword KmsKeyId: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ef56-7890-abcd-ef1234567890 ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml AWSTemplateFormatVersion: 2010-09-09 Description: Redshift Stack Resources: RedshiftCluster: Type: AWS::Redshift::Cluster Properties: ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup ClusterType: !If [ SingleNode, single-node, multi-node ] NumberOfNodes: !If [ SingleNode, !Ref 'AWS::NoValue', !Ref RedshiftNodeCount ] #' DBName: !Sub ${DatabaseName} IamRoles: - !GetAtt RawDataBucketAccessRole.Arn MasterUserPassword: !Ref MasterUserPassword MasterUsername: !Ref MasterUsername PubliclyAccessible: true NodeType: dc1.large Port: 5439 VpcSecurityGroupIds: - !Sub ${RedshiftSecurityGroup} PreferredMaintenanceWindow: Sun:09:15-Sun:09:45 KmsKeyId: wewewewewefsa DataBucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub ${DataBucketName} ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml AWSTemplateFormatVersion: 2010-09-09 Description: Redshift Stack Resources: RedshiftCluster: Type: AWS::Redshift::Cluster Properties: ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup ClusterType: !If [ SingleNode, single-node, multi-node ] NumberOfNodes: !If [ SingleNode, !Ref 'AWS::NoValue', !Ref RedshiftNodeCount ] #' DBName: !Sub ${DatabaseName} IamRoles: - !GetAtt RawDataBucketAccessRole.Arn MasterUserPassword: !Ref MasterUserPassword MasterUsername: !Ref MasterUsername PubliclyAccessible: true NodeType: dc1.large Port: 5439 VpcSecurityGroupIds: - !Sub ${RedshiftSecurityGroup} PreferredMaintenanceWindow: Sun:09:15-Sun:09:45 DataBucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub ${DataBucketName} ```