Profile Applicability:
Level 1
Description:
Amazon Redshift provides the capability to encrypt data in transit between your Redshift clusters and client applications. This is achieved by using SSL/TLS encryption for all network communication between the client and Redshift. Enabling encryption in transit ensures that sensitive data, such as user credentials and query results, is protected while it is transmitted over the network, safeguarding it from eavesdropping and tampering.
By ensuring connections to Redshift clusters are encrypted in transit, you are adhering to security best practices and compliance requirements for data protection, especially when handling sensitive or regulated data.
Rationale:
Data Security: Encrypting data in transit helps prevent unauthorized access, tampering, and interception of sensitive data during transmission between the client and the cluster.
Compliance: Many industry regulations and compliance standards (e.g., PCI-DSS, HIPAA, SOC 2) require encryption for all sensitive data in transit.
Data Integrity: SSL/TLS encryption ensures that the data transmitted between the client and Redshift is not altered or corrupted during transit.
Protection Against Man-in-the-Middle Attacks: Encryption in transit helps prevent man-in-the-middle attacks, where an attacker could intercept and modify data while it is being transmitted over the network.
Impact:
Pros:
Improved Security: Protects sensitive data from being intercepted during transmission.
Compliance: Meets encryption standards for industry regulations that mandate encryption of data in transit.
Integrity: Ensures that the transmitted data cannot be tampered with while in transit.
No Additional Cost: Encryption in transit via SSL/TLS is included in the standard Redshift service, without incurring additional costs.
Cons:
Potential Performance Overhead: The encryption and decryption process may introduce slight latency due to the additional computational steps.
Configuration Complexity: Proper SSL/TLS configuration requires attention to detail to avoid connectivity issues, especially when using custom certificates.
Compatibility: Some client applications or legacy systems may have issues supporting SSL/TLS encryption and require additional configuration.
Default Value:
By default, Amazon Redshift supports SSL/TLS encryption for connections. However, it is not always enforced for all connections. When connecting to Redshift, you must explicitly configure the client connection string to use SSL/TLS encryption by specifying the correct parameters.
Pre-requisite:
AWS IAM Permissions:
redshift:DescribeClusters
redshift:ModifyCluster
AWS CLI installed and configured.
Redshift Cluster must be active and accessible for modifications.
SSL Certificate must be available for secure connections (either Amazon-managed or custom).
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon Redshift under Services.
In the Redshift Dashboard, select the cluster you want to check.
Under the Cluster Properties, check the Cluster Security Settings:
If SSL/TLS is enabled, the SSL connection will be indicated as supported.
If SSL/TLS is not enabled, the cluster's connection details will show that encryption is not enforced for client connections.
To ensure that connections are encrypted, click Modify Cluster and make sure Enable SSL for Client Connections is enabled (if it’s not already enabled).
Save the changes and verify the configuration.
Using AWS CLI:
To check if SSL encryption is enabled for the Redshift cluster, run:
aws redshift describe-clusters --query 'Clusters[*].{ClusterId:ClusterIdentifier,SSLEnabled:AllowSslConnections}'To enable SSL encryption for a Redshift cluster, run:
aws redshift modify-cluster --cluster-identifier <cluster-id> --enable-ssl
To confirm the change, run:
aws redshift describe-clusters --cluster-identifier <cluster-id> --query 'Clusters[*].{ClusterId:ClusterIdentifier,SSLEnabled:AllowSslConnections}'Implementation Steps:
Using AWS Console:
Log in to the AWS Management Console and navigate to Amazon Redshift.
In the Redshift Dashboard, select the Redshift Cluster you want to check.
Under Cluster Properties, check if SSL Encryption is enabled.
If SSL Encryption is not enabled:
Click Modify Cluster.
In the Cluster Security section, enable SSL Encryption for client connections.
Save the changes, and the cluster will restart to apply the changes.
Verify that SSL is enabled by checking the Connection Settings in the cluster.
Using AWS CLI:
To enable SSL on a Redshift cluster, run:
aws redshift modify-cluster --cluster-identifier <cluster-id> --enable-ssl
To verify that SSL encryption is enabled for the cluster:
aws redshift describe-clusters --cluster-identifier <cluster-id> --query 'Clusters[*].{ClusterId:ClusterIdentifier,SSLEnabled:AllowSslConnections}'Backout Plan:
Console Process
Go to the Amazon Redshift Console:
Open the Amazon Redshift console.
Select your cluster from the list.
Check Encryption Setting:
In the cluster details, look for the Encryption in Transit setting under Cluster Properties.
Ensure that SSL/TLS is enabled for connections.
CLI Process
Describe the Cluster:
aws redshift describe-clusters --cluster-identifier <cluster-name>
Check the Output:
Look for the EncryptedInTransit field in the output.
If it says true, connections are encrypted in transit.
Note:
Testing SSL: Before enabling SSL in production, ensure that your clients and applications support SSL encryption and that the necessary SSL certificates are in place.
Connection String: Ensure your client connection strings are properly configured to use SSL. You may need to add the ssl=true parameter to the connection URL for some client applications.
