Json Yaml Redshift Encryption Disabled

Description

Detects AWS Redshift clusters defined in CloudFormation templates that have encryption disabled, leaving sensitive data potentially exposed. Unencrypted Redshift clusters store data in plaintext, which could lead to unauthorized access if the underlying storage is compromised.

Weakness:

433 - Non-encrypted confidential information - Redshift Cluster

Category: Information Collection

Detection Strategy

• Check if the resource type is 'AWS::Redshift::Cluster' in CloudFormation template

• Examine the resource properties to determine if encryption is disabled

• Report a vulnerability when a Redshift cluster is configured without encryption enabled

Vulnerable code example

Resources:
  VulnerableCluster:
    Type: "AWS::Redshift::Cluster"
    Properties:
      ClusterIdentifier: "my-redshift-cluster"
      Encrypted: false                # Vulnerable: Encryption disabled leaves data unprotected
      KmsKeyId: "alias/aws/redshift" # Vulnerable: Using AWS-managed key instead of customer-managed key

✅ Secure code example

Resources:
  SecureCluster:
    Type: "AWS::Redshift::Cluster"
    Properties:
      ClusterIdentifier: "my-redshift-cluster"
      Encrypted: true                 # Required: Enable encryption at rest for data protection
      KmsKeyId: !Ref MyCustomKMSKey  # Required: Use customer-managed key for better control
...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.