Redshift cluster is not encrypted
Incident Management is now generally available! Incident Management is now generally available!
<  Back to rules search

Redshift cluster is not encrypted

redshift

Classification:

compliance

Set up the redshift integration.

Overview

Description

Ensure that AWS RedShift clusters are encrypted.

Rationale

Encrypting Redshift clusters protects your sensitive data from unauthorized access.

Remediation

Console

Follow the Changing cluster encryption docs to ensure your clusters are encrypted.

CLI

  1. Run describe-clusters with your cluster identifier.

    describe-cluster.sh

        aws redshift describe-clusters
            --cluster-identifier cluster-name
        
  2. Run create-cluster using the configuration details returned in step 1 along with the encrypted flag.

    create-cluster.sh

        aws redshift create-cluster
            --cluster-identifier cluster-name
            ...
            --encrypted
        
  3. Run describe-cluster with a query filter to expose the new endpoint address.

    describe-cluster.sh

        aws redshift describe-clusters
            --cluster-identifier cluster-name
            --query 'Clusters[*].Endpoint.Address'
        
  4. Use the cluster endpoint URL with the Amazon Redshift Unload/Copy tool.

  5. Update your encrypted Redshift cluster configuration with the new Redshift cluster endpoint URL.

  6. Once the endpoint is changed, run delete-cluster to remove the old unencrypted cluster.

    delete-cluster.sh

        aws redshift delete-cluster
            --cluster-identifier old-cluster
            --final-cluster-snapshot-identifier old-cluster-finalsnapshot