Redshift Not Encrypted
- Query id: 3b316b05-564c-44a7-9c3f-405bb95e211e
- Query name: Redshift Not Encrypted
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- CWE: Ongoing
- URL: Github
Description¶
AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false)
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: Redshift Stack
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup
ClusterType: !If [ SingleNode, single-node, multi-node ]
NumberOfNodes: !If [ SingleNode, !Ref 'AWS::NoValue', !Ref RedshiftNodeCount ] #'
DBName: !Sub ${DatabaseName}
IamRoles:
- !GetAtt RawDataBucketAccessRole.Arn
MasterUserPassword: !Ref MasterUserPassword
MasterUsername: !Ref MasterUsername
PubliclyAccessible: true
NodeType: dc1.large
Port: 5439
VpcSecurityGroupIds:
- !Sub ${RedshiftSecurityGroup}
PreferredMaintenanceWindow: Sun:09:15-Sun:09:45
DataBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub ${DataBucketName}
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-11
Description: Redshift Stack2
Resources:
RedshiftCluster2:
Type: AWS::Redshift::Cluster
Properties:
ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup
ClusterType: !If [ SingleNode, single-node, multi-node ]
NumberOfNodes: !If [ SingleNode, !Ref 'AWS::NoValue', !Ref RedshiftNodeCount ] #'
DBName: !Sub ${DatabaseName}
IamRoles:
- !GetAtt RawDataBucketAccessRole.Arn
MasterUserPassword: !Ref MasterUserPassword
MasterUsername: !Ref MasterUsername
PubliclyAccessible: true
NodeType: dc1.large
Port: 5439
VpcSecurityGroupIds:
- !Sub ${RedshiftSecurityGroup}
PreferredMaintenanceWindow: Sun:09:15-Sun:09:45
Encrypted: false
DataBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub ${DataBucketName}
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Redshift Stack",
"Resources": {
"RedshiftCluster": {
"Type": "AWS::Redshift::Cluster",
"Properties": {
"IamRoles": [
"RawDataBucketAccessRole.Arn"
],
"MasterUserPassword": "MasterUserPassword",
"PubliclyAccessible": true,
"NodeType": "dc1.large",
"VpcSecurityGroupIds": [
"${RedshiftSecurityGroup}"
],
"PreferredMaintenanceWindow": "Sun:09:15-Sun:09:45",
"ClusterSubnetGroupName": "RedshiftClusterSubnetGroup",
"ClusterType": [
"SingleNode",
"single-node",
"multi-node"
],
"NumberOfNodes": [
"SingleNode",
"AWS::NoValue",
"RedshiftNodeCount"
],
"DBName": "${DatabaseName}",
"MasterUsername": "MasterUsername",
"Port": 5439
}
},
"DataBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "${DataBucketName}"
}
}
}
}
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-11T00:00:00Z",
"Description": "Redshift Stack2",
"Resources": {
"RedshiftCluster2": {
"Type": "AWS::Redshift::Cluster",
"Properties": {
"MasterUserPassword": "MasterUserPassword",
"PubliclyAccessible": true,
"NodeType": "dc1.large",
"Port": 5439,
"VpcSecurityGroupIds": [
"${RedshiftSecurityGroup}"
],
"PreferredMaintenanceWindow": "Sun:09:15-Sun:09:45",
"ClusterSubnetGroupName": "RedshiftClusterSubnetGroup",
"ClusterType": [
"SingleNode",
"single-node",
"multi-node"
],
"NumberOfNodes": [
"SingleNode",
"AWS::NoValue",
"RedshiftNodeCount"
],
"DBName": "${DatabaseName}",
"IamRoles": [
"RawDataBucketAccessRole.Arn"
],
"MasterUsername": "MasterUsername",
"Encrypted": false
}
},
"DataBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "${DataBucketName}"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-11
Description: Redshift Stack2
Resources:
RedshiftCluster2:
Type: AWS::Redshift::Cluster
Properties:
ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup
ClusterType: !If [ SingleNode, single-node, multi-node ]
NumberOfNodes: !If [ SingleNode, !Ref 'AWS::NoValue', !Ref RedshiftNodeCount ] #'
DBName: !Sub ${DatabaseName}
IamRoles:
- !GetAtt RawDataBucketAccessRole.Arn
MasterUserPassword: !Ref MasterUserPassword
MasterUsername: !Ref MasterUsername
PubliclyAccessible: true
NodeType: dc1.large
Port: 5439
VpcSecurityGroupIds:
- !Sub ${RedshiftSecurityGroup}
PreferredMaintenanceWindow: Sun:09:15-Sun:09:45
Encrypted: true
DataBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub ${DataBucketName}
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-11T00:00:00Z",
"Description": "Redshift Stack2",
"Resources": {
"RedshiftCluster2": {
"Properties": {
"ClusterType": [
"SingleNode",
"single-node",
"multi-node"
],
"NumberOfNodes": [
"SingleNode",
"AWS::NoValue",
"RedshiftNodeCount"
],
"DBName": "${DatabaseName}",
"IamRoles": [
"RawDataBucketAccessRole.Arn"
],
"NodeType": "dc1.large",
"PreferredMaintenanceWindow": "Sun:09:15-Sun:09:45",
"Encrypted": true,
"ClusterSubnetGroupName": "RedshiftClusterSubnetGroup",
"MasterUsername": "MasterUsername",
"PubliclyAccessible": true,
"Port": 5439,
"VpcSecurityGroupIds": [
"${RedshiftSecurityGroup}"
],
"MasterUserPassword": "MasterUserPassword"
},
"Type": "AWS::Redshift::Cluster"
},
"DataBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "${DataBucketName}"
}
}
}
}