🛡️ AWS Redshift Cluster Enhanced VPC Routing is not enabled🟢

• Contextual name: 🛡️ Cluster Enhanced VPC Routing is not enabled🟢
• ID: /ce/ca/aws/redshift/cluster-enhanced-vpc-routing
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS Redshift Cluster
  • 🔌 AWS Redshift Cluster - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [Redshift.7] Redshift clusters should use enhanced VPC routing

Description

Open File

Description

This policy identifies AWS Redshift Clusters that have Enhanced VPC Routing disabled. When enabled, this feature forces all COPY and UNLOAD traffic between the cluster and data repositories (such as Amazon S3) to flow through the associated VPC.

Rationale

When Enhanced VPC Routing is disabled, Amazon Redshift may route traffic over the public internet when communicating with other AWS services. Enabling this feature ensures that data transfers remain within the AWS network and allows you to enforce network-level controls using VPC security groups and network access control lists. This improves security, enables better visibility through VPC Flow Logs, and can help reduce data egress exposure.

Impact

Because Enhanced VPC Routing changes how Amazon Redshift accesses external resources, COPY and UNLOAD operations may fail if the VPC is not configured correctly. You must explicitly establish a valid network path between the cluster’s VPC and the target data resources.

There is no additional charge for enabling Enhanced VPC Routing. However, standard data transfer charges may apply in certain scenarios, for example:

... see more

Remediation

Open File

Remediation

Enable Enhanced VPC Routing

To ensure that data transfers between Amazon Redshift and external data repositories remain within your VPC, enable Enhanced VPC Routing on the cluster. This allows you to apply network-level security controls and improve visibility into data movement.

From Command Line

Use the following AWS CLI command to enable Enhanced VPC Routing for the specified Redshift cluster:

aws redshift modify-cluster \
    --cluster-identifier {{cluster-id}} \
    --enhanced-vpc-routing

Note: Enabling Enhanced VPC Routing may require a cluster restart and proper VPC configuration (such as routes, NAT gateways, or VPC endpoints) to ensure that COPY and UNLOAD operations continue to function as expected.

Post-Remediation Validation

• Verify that the cluster status returns to available after the change.
• Confirm that COPY and UNLOAD operations complete successfully using the configured private network paths.
• Review VPC Flow Logs to validate that traffic is routed through the VPC as intended.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.7] Redshift clusters should use enhanced VPC routing			1		no data
💼 Cloudaware Framework → 💼 Secure Access			75		no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	105		no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	63		no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	84		no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49		no data
💼 FedRAMP High Security Controls → 💼 SC-7(20) Dynamic Isolation and Segregation (H)			20		no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			37		no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			49		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		89		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			63		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		68		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			180		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181		no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			89		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	123		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	63		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	93		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			49		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			34		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			37		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation			20		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			37		no data