AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Redshift Automated Snapshots Should Have Retention Period Enabled
More Info:
The automated snapshot retention period set for your AWS Redshift clusters should be a positive number, meaning that automated backups are enabled for the clusters.
Risk Level
Low
Address
Security
Compliance Standards
SOC2, HIPAA, GDPR, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration of Redshift Automated Snapshots not having retention period enabled in AWS, follow these steps using the AWS Management Console:
-
Login to AWS Console: Go to the AWS Management Console and log in with your credentials.
-
Navigate to Amazon Redshift: Click on the “Services” dropdown menu at the top of the page, and then select “Redshift” under the Analytics section.
-
Select your Redshift Cluster: From the Redshift dashboard, select the Redshift cluster for which you want to enable the retention period for automated snapshots.
-
Modify Cluster: In the cluster details page, click on the cluster identifier link to go to the cluster details.
-
Configure Automated Snapshots: In the cluster details page, scroll down to the “Cluster snapshots” section and click on the “Modify” button.
-
Enable Retention Period: In the Modify cluster snapshot settings page, locate the “Automated snapshots” section. Here, you will find the option to set the retention period for automated snapshots.
-
Set Retention Period: Check the box next to “Enable” to enable automated snapshots and set a retention period using the dropdown menu. You can choose a retention period between 1 to 35 days.
-
Save Changes: Once you have set the retention period, scroll down to the bottom of the page and click on the “Modify cluster” button to save the changes.
-
Verify Configuration: After saving the changes, AWS Redshift will start taking automated snapshots with the configured retention period.
By following these steps, you have successfully remediated the misconfiguration of Redshift Automated Snapshots not having retention period enabled in AWS.
To remediate the misconfiguration of Redshift Automated Snapshots not having retention period enabled in AWS, you can follow these steps using AWS CLI:
- List the existing automated snapshots for your Redshift cluster to identify the snapshot identifier that needs to be updated:
aws redshift describe-cluster-snapshots --cluster-identifier YOUR_CLUSTER_IDENTIFIER
- Modify the retention period for the identified automated snapshot using the following command. Replace
YOUR_SNAPSHOT_IDENTIFIERwith the actual snapshot identifier and set the--retention-periodvalue to the desired number of days:
aws redshift modify-cluster-snapshot --snapshot-identifier YOUR_SNAPSHOT_IDENTIFIER --retention-period YOUR_RETENTION_PERIOD
- Verify the modification by describing the snapshot attributes again:
aws redshift describe-cluster-snapshots --cluster-identifier YOUR_CLUSTER_IDENTIFIER
- Repeat steps 1-3 for all other automated snapshots that do not have the retention period enabled.
By following these steps, you can remediate the misconfiguration of Redshift Automated Snapshots not having retention period enabled in AWS using AWS CLI.
To remediate the misconfiguration of Redshift Automated Snapshots not having retention period enabled in AWS, you can use the AWS SDK for Python (Boto3) to update the cluster snapshot schedule. Here are the step-by-step instructions to remediate this issue:
-
Install Boto3: If you haven’t already installed the Boto3 library, you can do so using pip:
pip install boto3 -
Create a Python script to enable the retention period for Redshift Automated Snapshots. You can use the following code snippet as a template:
import boto3
def enable_snapshot_retention(redshift_cluster_identifier, retention_period):
client = boto3.client('redshift')
response = client.modify_cluster_snapshot_schedule(
ClusterIdentifier=redshift_cluster_identifier,
ScheduleIdentifier='default',
DisassociateSchedule=True
)
response = client.create_snapshot_schedule(
ScheduleDefinitions=[
'rate(1 day)',
],
ScheduleIdentifier='default',
ScheduleDescription='Default snapshot schedule',
Tags=[
{
'Key': 'Name',
'Value': 'DefaultSchedule'
},
],
ClusterIdentifier=redshift_cluster_identifier,
AssociatedClusterCount=1,
AssociatedClusters=[
{
'ClusterIdentifier': redshift_cluster_identifier
},
],
Enable=True,
RetentionPeriod=retention_period
)
print(f"Snapshot retention period enabled for Redshift cluster {redshift_cluster_identifier}")
# Replace 'your-redshift-cluster-id' with your Redshift cluster identifier
redshift_cluster_identifier = 'your-redshift-cluster-id'
# Set the desired snapshot retention period in days
retention_period = 7
enable_snapshot_retention(redshift_cluster_identifier, retention_period)
-
Update the script with your Redshift cluster identifier and the desired snapshot retention period in days.
-
Run the Python script:
python enable_redshift_snapshot_retention.py -
Verify that the retention period is enabled for Redshift Automated Snapshots by checking the Redshift console or using the following AWS CLI command:
aws redshift describe-cluster-snapshot-schedules --cluster-identifier your-redshift-cluster-id
By following these steps, you can remediate the misconfiguration of Redshift Automated Snapshots not having retention period enabled in AWS Redshift using Python and Boto3.