Non-encrypted confidential information - Redshift Cluster - cloudformation

Non-encrypted confidential information - Redshift Cluster - cloudformation

Need

Encryption of confidential information in AWS Redshift Cluster

Context

  • Usage of CloudFormation for Infrastructure as Code (IaC)
  • Usage of AWS Redshift cluster resources for managing Amazon Redshift clusters

Description

Non compliant code

        Resources:
  MyRedshiftCluster:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterIdentifier: tf-redshift-cluster
      DBName: mydb
      MasterUsername: foo
      MasterUserPassword: Mustbe8characters
      NodeType: dc1.large
      ClusterType: single-node
        
        

This CloudFormation template creates an Amazon Redshift cluster without encryption. The AWS::Redshift::Cluster resource defines the properties of the cluster. However, the Encrypted property is omitted, which means encryption is not enabled by default. If an unauthorized individual gains access to this cluster's data, they could read it without any encryption key, which represents a significant security risk, especially when storing sensitive data. Enabling encryption is essential to protect data at rest.

Steps

  • Enable encryption for the AWS Redshift cluster
  • Add an `AWS::KMS::Key` resource with appropriate permissions
  • Set the `Encrypted` property to `true` in `AWS::Redshift::Cluster`
  • Set the `KmsKeyId` property to reference the created KMS key

Compliant code

        Resources:
  RedshiftKmsKey:
    Type: AWS::KMS::Key
    Properties:
      Description: KMS key for Redshift
      KeyPolicy:
        Version: "2012-10-17"
        Id: key-default-1
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action: kms:*
            Resource: "*"

  MyRedshiftCluster:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterIdentifier: tf-redshift-cluster
      DBName: mydb
      MasterUsername: foo
      MasterUserPassword: Mustbe8characters
      NodeType: dc1.large
      ClusterType: single-node
      Encrypted: true
      KmsKeyId: !Ref RedshiftKmsKey
        
        

This CloudFormation template enables encryption for the Redshift cluster using AWS KMS. The AWS::KMS::Key resource creates a KMS key with a basic policy that grants full access to the account root. The AWS::Redshift::Cluster resource enables encryption by setting the Encrypted property to true and specifying the KMS key ARN in KmsKeyId. This ensures that data in the cluster is encrypted and can only be accessed with appropriate KMS permissions.

References