Risk Level: High
Cloud Entity: Amazon Redshift
CloudGuard Rule ID: D9.AWS.CRY.34
Covered by Spectral: Yes
Category: Database

GSL LOGIC

Redshift should have dataEncrypted=true

REMEDIATION

From Portal
Following steps will enable encryption for the desired redshift cluster:

Login to the AWS Management Console.
Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.
In the navigation panel, under Redshift Dashboard, click 'Clusters'.
Choose the Redshift cluster that you want to modify encryption settings and click on 'Properties' tab.
Verify the Encryption status (Disabled/enabled) under the Cluster Properties.
Click on 'Edit' tab on the right side and go to edit encryption.
Select the desired encryption type and save it.

From TF

resource "aws_redshift_cluster" "test" {
  cluster_identifier = "tf-redshift-cluster"
  database_name      = "mydb"
  master_username    = "foo"
  master_password    = "Mustbe8characters"
  node_type          = "dc1.large"
  cluster_type       = "single-node"
  + encrypted          = true
}

From Command Line
To turn on encryption for Redshift cluster

aws redshift modify-cluster --cluster-identifier PUT_VALUE --encrypted

References

https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#create-cluster
https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/modify-cluster.html

Amazon Redshift

Amazon Redshift is a fast, fully managed data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and your existing Business Intelligence (BI) tools. It allows you to run complex analytic queries against petabytes of structured data, using sophisticated query optimization, columnar storage on high-performance local disks, and massively parallel query execution. Most results come back in seconds. With Amazon Redshift, you can start small for just $0.25 per hour with no commitments and scale out to petabytes of data for $1,000 per terabyte per year, less than a tenth the cost of traditional solutions.

Compliance Frameworks

AWS CCPA Framework
AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS Dashboard System Ruleset
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS ITSG-33
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
AWS PCI-DSS 4.0
AWS Security Risk Management
CloudGuard AWS All Rules Ruleset