🛡️ AWS Redshift Cluster Automated Snapshot Retention Period is not set🟢

• Contextual name: 🛡️ Cluster Automated Snapshot Retention Period is not set🟢
• ID: /ce/ca/aws/redshift/cluster-snapshot-retention
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS Redshift Cluster
  • 🔌 AWS Redshift Cluster - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
• Cloud Conformity: Redshift Automated Snapshot Retention Period

Description

Open File

Description

This policy identifies AWS Redshift Clusters that do not have automated snapshots enabled.

Amazon Redshift automatically takes snapshots of clusters based on the configured snapshot retention period, which defines the number of days automated snapshots are retained. When the retention period is set to 0, automated snapshots are disabled. While manual snapshots can still be created in this configuration, automated snapshots provide a more reliable and consistent mechanism for data protection and recovery.

Rationale

Automated snapshots provide a critical safety net for Amazon Redshift environments. Without automated snapshots, point-in-time recovery is not possible in the event of accidental data deletion, data corruption, malicious activity (such as ransomware), or infrastructure failures.

Impact

Automated snapshots incur storage costs. Organizations should balance the snapshot retention period against storage expenses while ensuring adequate data protection and recoverability.

Audit

This policy flags an AWS Redshift Cluster as INCOMPLIANT when the Automated Snapshot Retention Period is set to 0.

Remediation

Open File

Remediation

Enable Automated Snapshots

Update the configuration of the affected Redshift cluster to enable automated snapshots by setting a positive automated snapshot retention period.

The automated snapshot retention period determines how many days Amazon Redshift retains automated backups. Valid values range from 1 to 35 days. Setting this value to 0 disables automated snapshots.

From Command Line

Run the following AWS CLI command to enable automated snapshots for the selected Amazon Redshift cluster:

aws redshift modify-cluster \
    --region {{region}} \
    --cluster-identifier {{cluster-id}} \
    --automated-snapshot-retention-period 7

Adjust the --automated-snapshot-retention-period value as needed to align with your organization's backup retention requirements.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled			1		no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery			25		no data
💼 FedRAMP High Security Controls → 💼 CP-6 Alternate Storage Site (M)(H)	3		20		no data
💼 FedRAMP High Security Controls → 💼 CP-6(1) Separation from Primary Site (M)(H)			6		no data
💼 FedRAMP High Security Controls → 💼 CP-6(2) Recovery Time and Recovery Point Objectives (H)			20		no data
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)	5	4	16		no data
💼 FedRAMP High Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	2		21		no data
💼 FedRAMP High Security Controls → 💼 SC-7(10) Prevent Exfiltration (H)			18		no data
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)			14		no data
💼 FedRAMP Low Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)			21		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-6 Alternate Storage Site (M)(H)	2		6		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-6(1) Separation from Primary Site (M)(H)			6		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)	2		16		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	1		21		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			196		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			197		no data
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested			18		no data
💼 NIST CSF v2.0 → 💼 PR.IR-04: Adequate resource capacity to ensure availability is maintained			6		no data
💼 NIST CSF v2.0 → 💼 RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process			21		no data
💼 NIST CSF v2.0 → 💼 RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed			21		no data
💼 NIST CSF v2.0 → 💼 RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration			10		no data
💼 NIST CSF v2.0 → 💼 RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed			21		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6 Alternate Storage Site	3		20		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6(1) Alternate Storage Site _ Separation from Primary Site			6		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives			20		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-9 System Backup	8		12		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-10 System Recovery and Reconstitution	6		21		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy			24		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(10) Boundary Protection _ Prevent Exfiltration			18		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-13(5) Predictable Failure Prevention _ Failover Capability			20		no data