Description: 

Amazon Redshift is a data warehouse service. You can modify an unencrypted cluster to use AWS Key Management Service (AWS KMS) encryption, using either an AWS-managed key or a customer-managed key (CMK). When you modify your cluster to enable KMS encryption, Amazon Redshift automatically migrates your data to a new encrypted cluster.

Rationale:

Data protection refers to protecting data while in transit (as it travels to and from Amazon Redshift at rest (while it is stored on disks in Amazon Redshift data centers). You can protect data in transit by using SSL or by using client-side encryption. Amazon Redshift protects data at rest through encryption. Optionally, you can protect all data stored on disks within a cluster and all backups in Amazon S3 with Advanced Encryption Standard AES-256.

Impact:

When data is received from an unknown source, then security becomes a major concern as the user would want that no harm is caused to its data because of any third-party intrusion. This is where cluster encryption plays an important role in encrypting and securing users’ data.

Default Value:

Encryption is Disabled by default in Amazon Redshift.

Pre-requisites:

A cluster should be available.

Remediation 

Test plan:

  1. Sign in to the Amazon Management Console

  2. Go to the Redshift dashboard at https://console.aws.amazon.com/redshiftv2/

  3. Click on Clusters, In the left navigation pane

  4. Select the Cluster you need to enable Encryption

  5.  After selecting the cluster, go to the Properties tab

  6. . On the right side, near audit logging the Encryption status is displayed.

CLI Commands

To know the encryption of Cluster

aws redshift describe-clusters
--region us-east-1
--cluster-identifier <value>

Implementation

  1. Sign in to the Amazon Management Console

  2. Go to the Redshift dashboard at https://console.aws.amazon.com/redshiftv2/

  3. Click on Clusters, In the left navigation pane

  4. Select the Cluster for which you need to enable the encryption

  5. After selecting the cluster, go to the Properties tab

  6. Click Edit on the right side

  7.  From the dropdown menu select Edit encryption and choose any of the encryption

  8. Provide the details of AWS Key, KMS key ID.

  9. Finally, click Save Changes.

CLI Commands

To add the KMS key to Redshift cluster

aws redshift modify-cluster
--cluster-identifier <value>
--encrypted |
[--kms-key-id <value>]

Backout plan:

  1. Sign in to the Amazon Management Console

  2. Go to the Redshift dashboard at https://console.aws.amazon.com/redshiftv2/

  3. Click on Clusters, In the left navigation pane

  4. Select the Cluster for which you need to enable audit logging

  5. After selecting the cluster, click on Properties

  6. Click Edit on the right side

  7. From the dropdown menu select Edit encryption and choose a disabled option.

  8. Finally, click Save Changes.

CLI Commands

To Unencrypted