More Info:

Redshift clusters should be encrypted with KMS customer master keys (CMKs) in order to have full control over data encryption and decryption.

Risk Level

High

Address

Security

Compliance Standards

NIST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of Redshift clusters not being encrypted with KMS Customer Managed Keys (CMKs) in AWS, follow these steps using the AWS Management Console:
  1. Navigate to the Amazon Redshift Console:
    • Go to the AWS Management Console (https://console.aws.amazon.com/).
    • In the “Find Services” search bar, type “Redshift” and click on “Amazon Redshift” to open the Redshift Console.
  2. Select the Redshift Cluster:
    • In the Redshift Console, select the Redshift cluster that you want to encrypt with KMS CMKs by clicking on the cluster identifier.
  3. Enable Encryption:
    • In the cluster details page, click on the “Cluster” dropdown menu and select “Modify”.
  4. Enable Encryption with KMS CMKs:
    • In the “Cluster configuration” section, find the “Encryption” option.
    • Select the option to enable encryption.
    • Choose “KMS” as the encryption type.
    • Select the desired KMS Customer Managed Key (CMK) from the dropdown menu. If you don’t have a CMK, you can create one in the AWS Key Management Service (KMS) console.
  5. Review and Apply Changes:
    • Review the other configuration settings to ensure they are correct.
    • Scroll down and click on the “Modify cluster” button to apply the encryption settings.
  6. Monitor Encryption Progress:
    • Once you have modified the cluster configuration, monitor the cluster status in the Redshift Console.
    • The cluster will undergo modifications to enable encryption with the selected KMS CMK. This process may take some time depending on the size of the cluster.
  7. Verify Encryption:
    • After the modification is complete, verify that the Redshift cluster is now encrypted with the selected KMS CMK.
    • You can check the encryption status in the cluster details page under the “Cluster” dropdown menu.
By following these steps, you can remediate the misconfiguration of Redshift clusters not being encrypted with KMS CMKs in AWS using the AWS Management Console.

To remediate the misconfiguration of AWS Redshift clusters not being encrypted with KMS Customer Master Keys (CMKs), you can follow these steps using the AWS CLI:
  1. List the existing Redshift clusters to identify the clusters that are not encrypted with KMS CMKs:
aws redshift describe-clusters
  1. For each Redshift cluster that is not encrypted with a KMS CMK, modify the cluster to enable encryption with a KMS CMK. Replace your-cluster-identifier with the actual identifier of the Redshift cluster:
aws redshift modify-cluster --cluster-identifier your-cluster-identifier --encrypted --kms-key-id your-kms-key-id
  • --encrypted: Specifies that the cluster should be encrypted.
  • --kms-key-id: The Amazon Resource Name (ARN) of the KMS CMK to use for encryption. You can find the ARN of the KMS CMK in the AWS Key Management Service (KMS) console.
  1. Verify that the encryption status of the Redshift cluster has been updated:
aws redshift describe-clusters --cluster-identifier your-cluster-identifier --query "Clusters[0].Encrypted"
  • Ensure that the output is true, indicating that the cluster is now encrypted with a KMS CMK.
By following these steps, you can remediate the misconfiguration of AWS Redshift clusters not being encrypted with KMS CMKs using the AWS CLI.
To remediate the misconfiguration of Redshift clusters not being encrypted with KMS CMKs in AWS, you can use the AWS SDK for Python (Boto3) to update the cluster configuration. Here are the step-by-step instructions to remediate this issue:
  1. Install Boto3: If you haven’t already installed the Boto3 library, you can install it using pip: 
    pip install boto3
  2. Configure AWS Credentials: Make sure your AWS credentials are properly configured. You can set up your AWS credentials using the AWS CLI or by setting environment variables.
  3. Write a Python script: Create a Python script with the following code to update the Redshift cluster configuration to enable encryption with a KMS CMK: 
    import boto3

# Initialize the Redshift client
redshift_client = boto3.client('redshift')

# Specify the Redshift cluster identifier
cluster_identifier = 'your-redshift-cluster-identifier'

# Specify the KMS key ARN for encryption
kms_key_arn = 'arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id'

# Update the Redshift cluster to enable encryption with the specified KMS key
response = redshift_client.modify_cluster(
    ClusterIdentifier=cluster_identifier,
    Encrypted=True,
    KmsKeyId=kms_key_arn
)

print("Redshift cluster encryption updated successfully")
  4. Replace the placeholders:
    • Replace 'your-redshift-cluster-identifier' with the actual identifier of your Redshift cluster.
    • Replace 'arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id' with the ARN of the KMS key you want to use for encryption.
  5. Run the Python script: Execute the Python script to update the Redshift cluster configuration for encryption with a KMS CMK: 
    python remediate_redshift_encryption.py
  6. Verify the encryption status: After running the script, verify that the Redshift cluster is now encrypted with the specified KMS CMK by checking the cluster details in the AWS Management Console or using the Boto3 API.
By following these steps, you can remediate the misconfiguration of Redshift clusters not being encrypted with KMS CMKs in AWS using Python and Boto3.

Additional Reading: