Plugin Title Redshift Encryption Enabled
Cloud AWS
Category Redshift
Description Ensures at-rest encryption is setup for Redshift clusters
More Info AWS provides at-read encryption for Redshift clusters which should be enabled to ensure the integrity of data stored within the cluster.
AWS Link http://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html
Recommended Action Redshift does not currently allow modifications to encryption after the cluster has been launched, so a new cluster will need to be created with encryption enabled.


Detailed Remediation Steps

  1. Log into the AWS Management Console.
  2. Select the "Services" option and search for Redshift.
  3. Scroll down the left navigation panel and choose "Clusters".
  4. Select the "Cluster" that needs to be verified and click on its identifier(name) from the "Cluster" column.
  5. Scroll down the "Cluster" configuration page and check the "Encrypted" option under the "Cluster Database Properties". If current status is set to "No" then the data stored on the cluster is not encrypted.
  6. Repeat steps number 2 - 5 to verify other clusters.
  7. Scroll down the left navigation panel and choose "Clusters" and click on "Quick launch cluster" button at the top menu to start a new cluster process.
  8. Select the "Node type" from the dropdown menu and select the number of "Nodes" in the cluster.
  9. Provide a unique "Cluster identifier (name)" to a new cluster and choose the "Master user password" and "Confirm password" of new cluster.
  10. Under the "Launch your Amazon Redshift cluster - Advanced settings" select the "Database encryption" to "KMS" and select the "Master key" from dropdown menu.
  11. Click on the "Continue" button at the bottom of the configuration page.
  12. Review the new cluster configuration and click on the "Launch configuration" button at the bottom to launch a new cluster.
  13. Once the new "Cluster Status" value changes to available and the "DB Health" status changes to healthy, the new cluster can used to load the existing data using Amazon Redshift Unload/Copy utility from unencrypted cluster to encrypted cluster.
  14. Once the data migraton process is completed from unencrypted cluster to the new encrypted cluser delete the old unecncrypted cluster.
  15. Select the older unecncyrpted cluster and click on the "Cluster" dropdown menu at the top and click on the "Delete" option.
  16. On the "Delete Cluster" tab click on the "Delete" button to delete the unencrypted cluster.

Want to scan for this risk automatically?

Get Started Now