Connections to Amazon Redshift clusters should be encrypted in transit

TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.

Risk Level: Medium
Cloud Entity: Amazon Redshift
CloudGuard Rule ID: D9.AWS.CRY.86
Covered by Spectral: No
Category: Database

GSL LOGIC

Redshift should have parametersGroup contain [ parameters with [ parameterName='require_ssl' and parameterValue='true' ] ]

REMEDIATION

From Portal
To remediate this issue, update the parameter group to require encryption.

  1. Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.
  2. In the navigation menu, choose Config, then choose Workload management to display the Workload management page.
  3. Choose the parameter group that you want to modify.
  4. Choose Parameters.
  5. Choose Edit parameters, and then set require_ssl to True.
  6. Enter your changes and then choose Save.

From Command Line
Run following command to enable the require_ssl parameter for desired parameter group.

aws redshift modify-cluster-parameter-group --parameter-group-name redshift_cluster_parameter_group_name --parameters ParameterName=require_ssl,ParameterValue=true

References

  1. https://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html
  2. https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/modify-cluster-parameter-group.html

Amazon Redshift

Amazon Redshift is a fast, fully managed data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and your existing Business Intelligence (BI) tools. It allows you to run complex analytic queries against petabytes of structured data, using sophisticated query optimization, columnar storage on high-performance local disks, and massively parallel query execution. Most results come back in seconds. With Amazon Redshift, you can start small for just $0.25 per hour with no commitments and scale out to petabytes of data for $1,000 per terabyte per year, less than a tenth the cost of traditional solutions.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS ISO27001:2022
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset