Skip to main content

πŸ›‘οΈ AWS Redshift Cluster is not encrypted at rest🟒

  • Contextual name: πŸ›‘οΈ Cluster is not encrypted at rest🟒
  • ID: /ce/ca/aws/redshift/cluster-ecryption-at-rest
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS Redshift Clusters that do not have encryption at rest enabled.

Rationale​

Encryption at rest is a fundamental security control that ensures only authorized users with appropriate AWS KMS permissions can access cluster data. It protects sensitive information by making it unreadable if physical storage media is compromised.

Audit​

This policy flags an Amazon Redshift Cluster as INCOMPLIANT if Encryption is not set to Enabled.

Remediation​

Open File

Remediation​

Enable Encryption at Rest​

To secure your Amazon Redshift cluster, enable encryption at rest using AWS KMS. When you enable encryption, Redshift automatically migrates your data to a new encrypted cluster. During this migration, the cluster remains available in read-only mode, and the cluster status appears as resizing.

Note: If cross-region snapshot copy is enabled, you must disable it before enabling encryption.

From Command Line​

Use the following AWS CLI command to modify an unencrypted cluster and enable encryption. By default, the cluster uses the AWS-managed KMS key. To use a customer-managed key, include the --kms-key-id option:

aws redshift modify-cluster \
    --cluster-identifier {{cluster-id}} \
    --encrypted \
    --kms-key-id {{kms-key-id}}

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Redshift.10] Redshift clusters should be encrypted at rest1no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC08-BP02 Enforce encryption at rest20no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption65no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3(6) Cryptography Management (H)17no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1643no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1738no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)526no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)43no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)138no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)26no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)43no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)138no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)26no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected196no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected167no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected197no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks54no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management17no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection432no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31939no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1126no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection27no data