Redshift Clusters Should Be Encrypted With KMS CMKs
More Info:
Redshift clusters should be encrypted with KMS customer master keys (CMKs) in order to have full control over data encryption and decryption.Risk Level
HighAddress
SecurityCompliance Standards
NIST, SOC2, NISTCSF, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of Redshift clusters not being encrypted with KMS Customer Managed Keys (CMKs) in AWS, follow these steps using the AWS Management Console:
-
Navigate to the Amazon Redshift Console:
- Go to the AWS Management Console (https://console.aws.amazon.com/).
- In the “Find Services” search bar, type “Redshift” and click on “Amazon Redshift” to open the Redshift Console.
-
Select the Redshift Cluster:
- In the Redshift Console, select the Redshift cluster that you want to encrypt with KMS CMKs by clicking on the cluster identifier.
-
Enable Encryption:
- In the cluster details page, click on the “Cluster” dropdown menu and select “Modify”.
-
Enable Encryption with KMS CMKs:
- In the “Cluster configuration” section, find the “Encryption” option.
- Select the option to enable encryption.
- Choose “KMS” as the encryption type.
- Select the desired KMS Customer Managed Key (CMK) from the dropdown menu. If you don’t have a CMK, you can create one in the AWS Key Management Service (KMS) console.
-
Review and Apply Changes:
- Review the other configuration settings to ensure they are correct.
- Scroll down and click on the “Modify cluster” button to apply the encryption settings.
-
Monitor Encryption Progress:
- Once you have modified the cluster configuration, monitor the cluster status in the Redshift Console.
- The cluster will undergo modifications to enable encryption with the selected KMS CMK. This process may take some time depending on the size of the cluster.
-
Verify Encryption:
- After the modification is complete, verify that the Redshift cluster is now encrypted with the selected KMS CMK.
- You can check the encryption status in the cluster details page under the “Cluster” dropdown menu.
Using CLI
Using CLI
To remediate the misconfiguration of AWS Redshift clusters not being encrypted with KMS Customer Master Keys (CMKs), you can follow these steps using the AWS CLI:
- List the existing Redshift clusters to identify the clusters that are not encrypted with KMS CMKs:
- For each Redshift cluster that is not encrypted with a KMS CMK, modify the cluster to enable encryption with a KMS CMK. Replace
your-cluster-identifierwith the actual identifier of the Redshift cluster:
--encrypted: Specifies that the cluster should be encrypted.--kms-key-id: The Amazon Resource Name (ARN) of the KMS CMK to use for encryption. You can find the ARN of the KMS CMK in the AWS Key Management Service (KMS) console.
- Verify that the encryption status of the Redshift cluster has been updated:
- Ensure that the output is
true, indicating that the cluster is now encrypted with a KMS CMK.
Using Python
Using Python
To remediate the misconfiguration of Redshift clusters not being encrypted with KMS CMKs in AWS, you can use the AWS SDK for Python (Boto3) to update the cluster configuration. Here are the step-by-step instructions to remediate this issue:
-
Install Boto3: If you haven’t already installed the Boto3 library, you can install it using pip:
- Configure AWS Credentials: Make sure your AWS credentials are properly configured. You can set up your AWS credentials using the AWS CLI or by setting environment variables.
-
Write a Python script: Create a Python script with the following code to update the Redshift cluster configuration to enable encryption with a KMS CMK:
-
Replace the placeholders:
- Replace
'your-redshift-cluster-identifier'with the actual identifier of your Redshift cluster. - Replace
'arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id'with the ARN of the KMS key you want to use for encryption.
- Replace
-
Run the Python script: Execute the Python script to update the Redshift cluster configuration for encryption with a KMS CMK:
- Verify the encryption status: After running the script, verify that the Redshift cluster is now encrypted with the specified KMS CMK by checking the cluster details in the AWS Management Console or using the Boto3 API.