Non-encrypted confidential information - Redshift Cluster
Need
Encryption of confidential information in AWS Redshift Cluster
Context
• Usage of CloudFormation for Infrastructure as Code (IaC)
• Usage of AWS Redshift cluster resources for managing Amazon Redshift clusters
Description
1. Non compliant code
Resources:
MyRedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterIdentifier: tf-redshift-cluster
DBName: mydb
MasterUsername: foo
NodeType: dc1.large...This CloudFormation template creates an Amazon Redshift cluster without encryption. The `AWS::Redshift::Cluster` resource defines the properties of the cluster. However, the `Encrypted` property is omitted, which means encryption is not enabled by default. If an unauthorized individual gains access to this cluster's data, they could read it without any encryption key, which represents a significant security risk, especially when storing sensitive data. Enabling encryption is essential to protect data at rest.
2. Steps
• Enable encryption for the AWS Redshift cluster
• Add an `AWS::KMS::Key` resource with appropriate permissions
• Set the `Encrypted` property to `true` in `AWS::Redshift::Cluster`
• Set the `KmsKeyId` property to reference the created KMS key
3. Secure code example
Resources:
RedshiftKmsKey:
Type: AWS::KMS::Key
Properties:
Description: KMS key for Redshift
KeyPolicy:
Version: "2012-10-17"
Statement:...This CloudFormation template enables encryption for the Redshift cluster using AWS KMS. The `AWS::KMS::Key` resource creates a KMS key with a basic policy that grants full access to the account root. The `AWS::Redshift::Cluster` resource enables encryption by setting the `Encrypted` property to `true` and specifying the KMS key ARN in `KmsKeyId`. This ensures that data in the cluster is encrypted and can only be accessed with appropriate KMS permissions.