Terraform Encryption Disabled Or Missing
Description
Detects AWS Redshift clusters configured without encryption in Terraform configurations. Missing or disabled encryption on Redshift clusters leaves sensitive data vulnerable to unauthorized access if cluster storage is compromised. This violates security best practices for protecting data at rest.
Weakness:
433 - Non-encrypted confidential information - Redshift Cluster
Category: Information Collection
Detection Strategy
• Check if resource type is 'aws_redshift_cluster' in Terraform configuration
• Verify if encryption configuration is either explicitly disabled or missing in the cluster configuration
• Report a vulnerability if the Redshift cluster is configured without proper encryption settings
Vulnerable code example
resource "aws_redshift_cluster" "example1" {
cluster_identifier = "redshift-cluster-1"
encrypted = false # Vulnerable: Explicitly disabling encryption
}
resource "aws_redshift_cluster" "example2" {
cluster_identifier = "redshift-cluster-2"
# Vulnerable: Missing encryption setting defaults to unencrypted...✅ Secure code example
resource "aws_redshift_cluster" "example1" {
cluster_identifier = "redshift-cluster-1"
encrypted = true # Enable encryption at rest for data security
kms_key_id = aws_kms_key.redshift.arn # Use KMS key for encryption
}
resource "aws_redshift_cluster" "example2" {
cluster_identifier = "redshift-cluster-2"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.