Description:
The Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. An Amazon Redshift data warehouse is a collection of computing resources called nodes, which are organized into a group called a cluster.
Redshift supports SSL to encrypt data and server certificates to validate.
Rationale:
Checks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. The rule is NON_COMPLIANT if any Amazon Redshift cluster has parameter require_SSL not set to true.
Impact:
We know that TLS (Transport Layer Security) is a security protocol that provides privacy and data integrity for Internet communications. If we ensure that the Redshift cluster contains TLS it prevents the data breach, It helps to hide the data from third parties and also ensures that data has not been tampered with by unknown person/bad guys/unauthorized person. It means this policy prevents Man in middle (MITM) attacks.
Default Value:
By default encryption in the redshift cluster is disabled and in the parameter group it contains default.redshift-1.0 which is not editable .
Pre-Requisite:
In Redshift, it must contain at least one cluster
default parameter group is not editable so you need to create a parameter group before the implementation step
Remediation:
Test Plan:
Step 1: Log in to AWS Management Console and go to the Redshift dashboard at https://console.aws.amazon.com/redshiftv2
Step 2: Choose a cluster to examine
Step 3: In the selected cluster go to the properties tab
Step 4: In properties, tab see in Data configurations it contains Parameter group and encryption we can see encryption either enable or disable
Step 5: In the default parameter group SSL require set value is false it is not editable for examination click on the default parameter group
Step 6: Click on the Parameters tab
In the parameter, we can see require_ssl false
Using AWS CLI
First, run the describe-clusters command
aws redshift describe-clusters --region <region> --output table --query 'Clusters[*].ClusterIdentifier'
2. Lists the parameter data or the cluster
aws redshift describe-cluster-parameters
--region us-east-1
--parameter-group-name cc-cluster-redshift-param-group
Implementation Steps:
Step 1: Log in to AWS Management Console and go to the Redshift dashboard at https://console.aws.amazon.com/redshiftv2
Step 2: Choose a cluster to examine
Step 3: In the selected cluster go to the properties tab
Step 4: First enable the Encryption by clicking on the edit button and clicking on edit encryption
Choose the encryption option as per your organization's policy
in the parameter group you change the false value of require_ssl in true steps to change the value of the parameter group not in the default group we assume that you already created the parameter group
Step 5: Click on the parameter group contains in your cluster
Step 6: Go to the parameter tab in the selected parameter group
Step 7: Click on the Edit Parameters button and set require_ssl value true and click on the Save button
Step 8: go to the parameter tab in the selected parameter group
Step 9: Click on the Edit Parameters button
Step 10: set requires a value to be true and click on the Save button
Using AWS CLI:
Syntax: to modify the redshift
aws redshift modify-cluster-parameter-group \
--parameter-group-name parameter_group_name \
--parameters ParameterName=parameter_name,ParameterValue=parameter_value
modify cluster change the parameter value to true in require_ssl
aws redshift modify-cluster-parameter-group \
--parameter-group-name <cluster name> \
--parameters ParameterName=require_ssl,ParameterValue=true
Backout Plan:
Step 1: Log in to AWS Management Console and go to the Redshift dashboard at https://console.aws.amazon.com/redshiftv2
Step 2: Choose a cluster to examine
Step 3: In the selected cluster go to the properties tab
Step 4: Click on the Parameter group
Step 5: Click on the Parameter
Step 6: Click on the Edit Parameter
Step 7: Make changes in require-ssl as false
step 8: Click on save changes
Using AWS CLI:
To modify the the parameter group
aws redshift modify-cluster-parameter-group \
--parameter-group-name <cluster name> \
--parameters ParameterName=require_ssl,ParameterValue=false