Ensure KMS customer managed key (CMK) for encryption of AWS Redshift clusters

HIGH

Description

Using customer managed keys will give administrators control over how data is encrypted to better meet compliance regulations, as well as allow for a more specific key rotation period. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. It is often recommended to use a customer managed key when the service is available.

Remediation

In AWS Console -

  1. Sign in to the AWS Console and open the Redshift Console.
  2. On the navigation bar select Clusters, then choose the cluster you wish to edit.
  3. Select Properties.
  4. Under Database configurations, choose Edit, then Edit encryption.
  5. Configure using a valid KMS key.

In Terraform -

  1. In the aws_redshift_cluster resource, set kms_key_id to a valid AWS KMS key ARN.
  2. Set the encrypted field to true.

References:
https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#kms_key_id

Policy Details

Rule Reference ID: AC_AWS_0197
CSP: AWS
Remediation Available: Yes
Resource Category: Database
Resource Type: Redshift

Frameworks