Non-encrypted confidential information - Redshift Cluster - Aws
Need
Encryption of confidential information in AWS Redshift Cluster
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of aws_redshift_cluster for managing and interacting with Amazon Redshift clusters
Description
Insecure Code Example
resource "aws_redshift_cluster" "default" {
cluster_identifier = "tf-redshift-cluster"
database_name = "mydb"
master_username = "foo"
master_password = "Mustbe8characters"
node_type = "dc1.large"
cluster_type = "single-node"
}This Terraform code block creates an Amazon Redshift cluster without encryption. The `aws_redshift_cluster` resource block defines the properties of the cluster. Here, `cluster_identifier` is a unique name for the cluster, `database_name` is the name of the initial database to be created when the cluster is created, `master_username` and `master_password` are the credentials for the master database user, `node_type` is the type of node to be used in the cluster, and `cluster_type` is the number of nodes in the cluster. However, this code is vulnerable because it does not enable encryption for the Redshift cluster. This means that all data stored in the cluster is not encrypted, and if an unauthorized individual were to gain access to this data, they could read it without needing any sort of encryption key. This poses a serious security risk, particularly if the data stored in the cluster is sensitive. To protect the data in the Redshift cluster, it should be encrypted using AWS Key Management Service (KMS). This can be achieved by adding the `kms_key_id` property to the `aws_redshift_cluster` resource block and setting it to the ARN of the KMS key to be used for encryption. The `encrypted` attribute should also be set to `true`.
Steps
- Enable encryption for the AWS Redshift cluster
- Modify the 'aws_redshift_cluster' resource to include the 'encrypted' attribute
- Set the 'encrypted' attribute to 'true'
- Ensure that the 'kms_key_id' attribute is also set to specify the AWS Key Management Service (KMS) key to use for encryption
Secure Code Example
resource "aws_kms_key" "redshift" {
description = "KMS key for redshift"
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${var.account_id}:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
POLICY
}
resource "aws_redshift_cluster" "default" {
cluster_identifier = "tf-redshift-cluster"
database_name = "mydb"
master_username = "foo"
master_password = "Mustbe8characters"
node_type = "dc1.large"
cluster_type = "single-node"
encrypted = true
kms_key_id = aws_kms_key.redshift.arn
}The above code fixes the vulnerability by enabling encryption for the AWS Redshift cluster. The `aws_kms_key` resource block creates a new AWS KMS key that will be used to encrypt the Redshift cluster. The policy attached to the key allows all KMS actions for the root user of the AWS account. In the `aws_redshift_cluster` resource block, the `encrypted` attribute is set to `true` to enable encryption. The `kms_key_id` attribute is set to the ARN of the newly created KMS key. This means that the Redshift cluster will be encrypted using this key. This ensures that all data stored in the Redshift cluster is encrypted and can only be accessed by entities that have the necessary permissions to use the KMS key. This significantly reduces the risk of unauthorized access to the data.
References
Last updated
2023/09/18