Encryption of confidential information in AWS Redshift Cluster
Resources:
MyRedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterIdentifier: tf-redshift-cluster
DBName: mydb
MasterUsername: foo
MasterUserPassword: Mustbe8characters
NodeType: dc1.large
ClusterType: single-node
This CloudFormation template creates an Amazon Redshift cluster without encryption.
The
AWS::Redshift::Cluster resource defines the properties of the cluster. However, the
Encrypted property is omitted, which means encryption is not enabled by default.
If an unauthorized individual gains access to this cluster's data, they could read it without any encryption key, which represents a significant security risk, especially when storing sensitive data.
Enabling encryption is essential to protect data at rest.
Resources:
RedshiftKmsKey:
Type: AWS::KMS::Key
Properties:
Description: KMS key for Redshift
KeyPolicy:
Version: "2012-10-17"
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: kms:*
Resource: "*"
MyRedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterIdentifier: tf-redshift-cluster
DBName: mydb
MasterUsername: foo
MasterUserPassword: Mustbe8characters
NodeType: dc1.large
ClusterType: single-node
Encrypted: true
KmsKeyId: !Ref RedshiftKmsKey
This CloudFormation template enables encryption for the Redshift cluster using AWS KMS.
The
AWS::KMS::Key resource creates a KMS key with a basic policy that grants full access to the account root. The
AWS::Redshift::Cluster resource enables encryption by setting the
Encrypted property to
true and specifying the KMS key ARN in
KmsKeyId.
This ensures that data in the cluster is encrypted and can only be accessed with appropriate KMS permissions.