🛡️ AWS Redshift Cluster is not required to use encryption in transit🟢

Contextual name: 🛡️ Cluster is not required to use encryption in transit🟢
ID: /ce/ca/aws/redshift/cluster-ecryption-in-transit
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS Redshift Cluster
- 🔌 AWS Redshift Cluster - object.extracts.yaml
- 🔌 AWS Redshift Cluster Parameter - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit

Description

Description

This policy identifies AWS Redshift Clusters that are not configured to enforce SSL/TLS encryption for all client connections.

Rationale

Enforcing encryption in transit ensures that all data transmitted between clients and the Redshift cluster is protected from interception and unauthorized access. This control is critical for maintaining data confidentiality and integrity, as well as for meeting organizational and regulatory security requirements.

Audit

This policy flags an AWS Redshift Cluster as INCOMPLIANT if its related AWS Redshift Cluster Parameter Group contains the require_ssl Parameter set to false.

The Cluster is marked as UNDETERMINED if the Cluster Parameter Group or the require_ssl Parameter is not present in the CMDB.

Remediation

Open File

Remediation

Enforce SSL/TLS Connections for Redshift Clusters

To ensure all client connections use SSL/TLS, update the Redshift cluster parameter group to enable the require_ssl parameter.

Prerequisites

Verify the cluster status is available before making changes

Plan for a maintenance window, as a reboot is required

From Command Line
Identify the Parameter Group Associated with the Cluster

Retrieve the name of the parameter group attached to your Redshift cluster:
aws redshift describe-clusters \
    --cluster-identifier {{cluster-id}} \
    --query "Clusters[0].ClusterParameterGroups[0].ParameterGroupName" \
    --output text
Update the require_ssl Parameter

Modify the identified parameter group to enforce SSL/TLS connections:
aws redshift modify-cluster-parameter-group \
    --parameter-group-name {{parameter-group-name}} \
    --parameters "ParameterName=require_ssl,ParameterValue=true"
Reboot the Cluster

Apply the updated parameter group settings by rebooting the cluster:
... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit			1	no data
💼 AWS Well-Architected → 💼 SEC09-BP03 Authenticate network communications			3	no data
💼 Cloudaware Framework → 💼 Data Encryption			70	no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	105	no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49	no data
💼 FedRAMP High Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1	8	25	no data
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		8	24	no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	43	no data
💼 FedRAMP High Security Controls → 💼 SC-23 Session Authenticity (M)(H)		7	21	no data
💼 FedRAMP Low Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		25	no data
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			24	no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		89	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		25	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			24	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-23 Session Authenticity (M)(H)			21	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181	no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			89	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	123	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			49	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8 Transmission Confidentiality and Integrity	5	8	25	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	23	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling			16	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		32	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-23 Session Authenticity	5		15	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers			14	no data
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	8	28	no data
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		28	no data
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	28	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Enforce SSL/TLS Connections for Redshift Clusters​

Prerequisites​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Audit

Remediation

Remediation

Enforce SSL/TLS Connections for Redshift Clusters

Prerequisites

From Command Line

policy.yaml

Linked Framework Sections