Skip to content

Ensure Redshift Cluster Is Encrypted at Rest With KMS

Description

Ensures that Redshift clusters have encryption at rest enabled. Amazon Redshift offers encryption of data at rest, a security feature that helps prevent unauthorized access to your data. The feature uses AWS Key Management Service (AWS KMS) to store and manage your encryption keys, and the Advanced Encryption Standard algorithm with 256-bit keys (AES-256) to perform the encryption.

If enabled, the feature encrypts the following aspects of the cluster and its snapshots:

  • Data blocks
  • System metadata

Rationale

Encrypting storage at rest is critical as it prevents an adversary that acquires physical access to the underlying data storage from accessing your data. The data stored in AWS will always be encrypted, so even if physical access is acquired the data and metadata will still be protected. The encryption and decryption of the data is handled automatically when encryption at rest is enabled.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service redshift

Default Rule

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if data is encrypted at rest and keys are used
 */
function validate(databaseSettings) {
    const encrypted = databaseSettings.awsDatabaseInstance &&
                    databaseSettings.awsDatabaseInstance.redshiftCluster &&
                    databaseSettings.awsDatabaseInstance.redshiftCluster.encrypted

    const hasKmsKey = databaseSettings.awsDatabaseInstance &&
               databaseSettings.awsDatabaseInstance.redshiftCluster &&
               !!databaseSettings.awsDatabaseInstance.redshiftCluster.kmsKeyId

    const hasHsmKey = databaseSettings.awsDatabaseInstance &&
               databaseSettings.awsDatabaseInstance.redshiftCluster &&
               databaseSettings.awsDatabaseInstance.redshiftCluster.hsmStatus &&
               databaseSettings.awsDatabaseInstance.redshiftCluster.hsmStatus.status === "HSM_STATUS_ACTIVE"

    const success = encrypted && (hasKmsKey || hasHsmKey)
    return {
        success,
    }
}

// invoke
validate(databaseSettings);