Skip to main content

πŸ›‘οΈ AWS Redshift Cluster is not encrypted at rest🟒

  • Contextual name: πŸ›‘οΈ Cluster is not encrypted at rest🟒
  • ID: /ce/ca/aws/redshift/cluster-ecryption-at-rest
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS Redshift Clusters that do not have encryption at rest enabled.

Rationale​

Encryption at rest is a fundamental security control that ensures only authorized users with the appropriate AWS KMS permissions can access cluster data. It protects sensitive information by making it unreadable in the event that physical storage media is compromised.

Audit​

This policy flags an Amazon Redshift Cluster as INCOMPLIANT if Encryption is not set to Enabled.

Remediation​

Open File

Remediation​

Enable Encryption at Rest​

To secure your Amazon Redshift cluster, enable encryption at rest using AWS KMS. When you enable encryption, Redshift automatically migrates your data to a new encrypted cluster. During this migration, the cluster remains available in read-only mode, and the cluster status appears as resizing.

Note: If cross-region snapshot copy is enabled, you must disable it before enabling encryption.

From Command Line​

Use the following AWS CLI command to modify an unencrypted cluster and enable encryption. By default, the cluster uses the AWS-managed KMS key. To use a customer-managed key, include the --kms-key-id option:

aws redshift modify-cluster \
    --cluster-identifier {{cluster-id}} \
    --encrypted \
    --kms-key-id {{kms-key-id}}

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Redshift.10] Redshift clusters should be encrypted at rest1no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC08-BP02 Enforce encryption at rest20no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption70no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3(6) Cryptography Management (H)17no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1643no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1736no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)525no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)43no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)136no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)25no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)43no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)136no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)25no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected185no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected158no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected183no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks54no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management17no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection432no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31737no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1025no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection27no data