logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Non-encrypted confidential information - Redshift Cluster - Cloudformation

Need

Encryption of confidential information in AWS Redshift Cluster

Context

  1. Usage of CloudFormation for Infrastructure as Code (IaC)
  2. Usage of AWS Redshift cluster resources for managing Amazon Redshift clusters

Description

Insecure Code Example

Resources:
  MyRedshiftCluster:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterIdentifier: tf-redshift-cluster
      DBName: mydb
      MasterUsername: foo
      MasterUserPassword: Mustbe8characters
      NodeType: dc1.large
      ClusterType: single-node

This CloudFormation template creates an Amazon Redshift cluster without encryption. The `AWS::Redshift::Cluster` resource defines the properties of the cluster. However, the `Encrypted` property is omitted, which means encryption is not enabled by default. If an unauthorized individual gains access to this cluster's data, they could read it without any encryption key, which represents a significant security risk, especially when storing sensitive data. Enabling encryption is essential to protect data at rest.

Steps

  1. Enable encryption for the AWS Redshift cluster
  2. Add an `AWS::KMS::Key` resource with appropriate permissions
  3. Set the `Encrypted` property to `true` in `AWS::Redshift::Cluster`
  4. Set the `KmsKeyId` property to reference the created KMS key

Secure Code Example

Resources:
  RedshiftKmsKey:
    Type: AWS::KMS::Key
    Properties:
      Description: KMS key for Redshift
      KeyPolicy:
        Version: "2012-10-17"
        Id: key-default-1
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action: kms:*
            Resource: "*"

  MyRedshiftCluster:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterIdentifier: tf-redshift-cluster
      DBName: mydb
      MasterUsername: foo
      MasterUserPassword: Mustbe8characters
      NodeType: dc1.large
      ClusterType: single-node
      Encrypted: true
      KmsKeyId: !Ref RedshiftKmsKey

This CloudFormation template enables encryption for the Redshift cluster using AWS KMS. The `AWS::KMS::Key` resource creates a KMS key with a basic policy that grants full access to the account root. The `AWS::Redshift::Cluster` resource enables encryption by setting the `Encrypted` property to `true` and specifying the KMS key ARN in `KmsKeyId`. This ensures that data in the cluster is encrypted and can only be accessed with appropriate KMS permissions.

References

  • 433 - Non-encrypted confidential information - Redshift Cluster

    • Last updated

    2025/04/04