AWS Redshift Instances Are Not Encrypted

This policy identifies AWS Redshift instances which are not encrypted. These instances should be encrypted for clusters to help protect data at rest which otherwise can result in a data breach.

Policy Details

Policy Subtype
Run, Build
Severity
High
Template Type
CloudFormation

Build Rules

AWS Redshift instances are not encrypted.
JSON Query:
$.Resources.*[?(@.Type=='AWS::Redshift::Cluster')].Properties.Encrypted any null or $.Resources.*[?(@.Type=='AWS::Redshift::Cluster')].Properties.Encrypted anyFalse
Recommendation:
Recommended solution for having Redshuft instances encrypted.
It is recommended to encrypt Redshift instances. Please make sure that "Encrypted" exists and its value is set to "true".
For example:
"myCluster1":{ "Type":"AWS::Redshift::Cluster", "Properties":{ "DBName":"mydb", "MasterUsername":"master", "Encrypted":true } }

Run Rule Recommendation

AWS redshift instance Encryption of data at rest can only be enabled during file system creation. So to resolve this alert, create a new instance with encryption enabled, then migrate all required file data from the reported Redshift instances to this newly created Redshift instance and delete reported instances.
  1. Sign in to the AWS Admin Console and Access the Redshift service.
  2. Click on the identified Redshift cluster and take a snapshot of it.
  3. Create a new Redshift cluster (now with 'Encryption' set to 'Yes' during creation time) and use the snapshot to populate (restore) the new cluster.
  4. Once the new cluster is populated, delete the older cluster (without encryption).

Compliance

There are 11 standards that are applicable to this policy:
  • NIST 800-171 Rev1
  • NIST 800-53 Rev4
  • ISO 27001:2013
  • HITRUST CSF v9.3
  • NIST CSF
  • PCI DSS v3.2
  • GDPR
  • CSA CCM v3.0.1
  • SOC 2
  • PIPEDA
  • CCPA 2018

Recommended For You