Description:

The Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. An Amazon Redshift data warehouse is a collection of computing resources called nodes, which are organized into a group called a cluster.

 Redshift supports SSL to encrypt data and server certificates to validate.

Rationale:

Checks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. The rule is NON_COMPLIANT if any Amazon Redshift cluster has parameter require_SSL not set to true.

Impact:

We know that TLS (Transport Layer Security) is a security protocol that provides privacy and data integrity for Internet communications. If we ensure that the Redshift cluster contains TLS it prevents the data breach, It helps to hide the data from third parties and also ensures that data has not been tampered with by unknown person/bad guys/unauthorized person. It means this policy prevents Man in middle (MITM) attacks.

Default Value:

By default encryption in the redshift cluster is disabled and in the parameter group it contains default.redshift-1.0 which is not editable . 


Pre-Requisite:

  1. In Redshift, it must contain at least one cluster

  2. default parameter group is not editable so you need to create a parameter group before the implementation step




Remediation:

Test Plan:

Step 1: Log in to AWS Management Console and go to the Redshift dashboard at             https://console.aws.amazon.com/redshiftv2

Step 2: Choose a cluster to examine 

Step 3: In the selected cluster go to the properties tab 

Step 4: In properties, tab see in Data configurations it contains Parameter group and encryption we can see encryption either enable or disable 


Step 5: In the default parameter group SSL require set value is false it is not editable for examination click on the default parameter group


Step 6: Click on the Parameters tab


In the parameter, we can see require_ssl false

Using AWS CLI 

  1. First, run the describe-clusters command 

    aws redshift describe-clusters
      --region <region>
      --output table
      --query 'Clusters[*].ClusterIdentifier'


2. Lists the parameter data or the cluster

aws redshift describe-cluster-parameters
  --region us-east-1
  --parameter-group-name cc-cluster-redshift-param-group


Implementation Steps:

Step 1: Log in to AWS Management Console and go to the Redshift dashboard at             https://console.aws.amazon.com/redshiftv2

Step 2: Choose a cluster to examine 


Step 3: In the selected cluster go to the properties tab 



Step 4: First enable the Encryption by clicking on the edit button and clicking on edit encryption


Choose the encryption option as per your organization's policy


in the parameter group you change the false value of require_ssl in true steps to change the value of the parameter group not in the default group we assume that you already created the parameter group

Step 5: Click on the parameter group contains in your cluster


Step 6: Go to the parameter tab in the selected parameter group


Step 7: Click on the Edit Parameters button and set require_ssl value true and click on the Save button


Step 8: go to the parameter tab in the selected parameter group 

Step 9: Click on the Edit Parameters button  

Step 10: set requires a value to be true and click on the Save button 



Using AWS CLI:

Syntax: to modify the redshift

aws redshift modify-cluster-parameter-group \
--parameter-group-name parameter_group_name \
--parameters ParameterName=parameter_name,ParameterValue=parameter_value


modify cluster change the parameter value to true in require_ssl

aws redshift modify-cluster-parameter-group \
 --parameter-group-name <cluster name> \
  --parameters ParameterName=require_ssl,ParameterValue=true 


Backout Plan:

Step 1: Log in to AWS Management Console and go to the Redshift dashboard at https://console.aws.amazon.com/redshiftv2

Step 2: Choose a cluster to examine

Step 3: In the selected cluster go to the properties tab

Step 4: Click on the Parameter group

Step 5: Click on the Parameter

Step 6: Click on the Edit Parameter

Step 7: Make changes in require-ssl as false

step 8: Click on save changes 


Using AWS CLI:

To modify the the parameter group 

aws redshift modify-cluster-parameter-group \
 --parameter-group-name <cluster name> \
  --parameters ParameterName=require_ssl,ParameterValue=false 

Reference:

  1. redshift — AWS CLI 1.20.1 Command Reference 

  2. https://aws.amazon.com/redshift/