Redshift clusters should enable SSL/TLS for client connections

Description

Enable the require_ssl parameter for your Amazon Redshift cluster.

Rationale

Redshift clusters that do not require an SSL connection are vulnerable to exploits, such as man-in-the-middle attacks. Securing your connections protects your sensitive and private data.

Remediation

From the console

Amazon Redshift Clusters use AWS Certificate Manager (ACM)] to manage SSL certificates. To configure Redshift parameter groups in the console, follow the Managing parameter groups using the console docs.

From the command line

  1. Run modify-cluster-parameter-group with name of the default parameter group you want to modify and the required parameters for SSL. This returns the group name and status if successful.

modify-cluster-parameter-group.sh

  aws redshift modify-cluster-parameter-group
    --parameter-group-name your-parameter-group
    --parameters ParameterName=require_ssl,ParameterValue=true

  
  1. Run reboot-cluster with your cluster identifier to enable the configuration changes.