AWS Redshift Does Not Have require_ssl Configured

This policy identifies Redshift databases in which data connection to and from is occurring on an insecure channel. SSL connections ensures the security of the data in transit.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

AWS Redshift does not have require_ssl configured.
JSON Query:
$.resource[*].aws_redshift_parameter_group exists and ($.resource[*].aws_redshift_parameter_group[*].*[*].parameter[?(@.name=='require_ssl')] !exists or $.resource[*].aws_redshift_parameter_group[*].*[*].parameter[?(@.name=='require_ssl' && @.value=='false' )] exists)
Recommendation:
Recommended solution for having AWS Redshift have require_ssl configured.
Ensure that AWS Redshift have require_ssl configured. Please make sure the template have "require_ssl" parameter defined with value set to true.
For example:
"aws_redshift_parameter_group": [ { "<redshift_parameter_group_name>": [ { "family": "redshift-1.0", "name": "parameter-group-test-terraform", "parameter": [ { "name": "require_ssl", "value": "true" }, { "name": "query_group", "value": "example" } ] } ] } ]

Run Rule Recommendation

  1. Login to the AWS and navigate to the 'Amazon Redshift' service.
  2. Expand the identified 'Redshift' cluster and make a note of the 'Cluster Parameter Group'.
  3. In the navigation panel, click on the 'Parameter group'.
  4. Select the identified 'Parameter Group' and click on 'Edit Parameters'.
  5. Review the require_ssl flag. Update the parameter 'require_ssl' to true and save it.
    Note:
    If the current parameter group is a Default parameter group, it cannot be edited. You will need to create a new parameter group and point it to an affected cluster.

Compliance

There are 10 standards that are applicable to this policy:
  • ISO 27001:2013
  • NIST CSF
  • GDPR
  • CSA CCM v3.0.1
  • SOC 2
  • HITRUST CSF v9.3
  • PIPEDA
  • CCPA 2018
  • NIST 800-171 Rev1
  • NIST 800-53 Rev4

Recommended For You