Redshift Cluster Without KMS CMK
- Query id: de76a0d6-66d5-45c9-9022-f05545b85c78
- Query name: Redshift Cluster Without KMS CMK
- Platform: CloudFormation
- Severity: Medium
- Category: Encryption
- CWE: Ongoing
- URL: Github
Description¶
AWS Redshift Cluster should have KMS CMK defined
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: Redshift Stack
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup
ClusterType: !If [ SingleNode, single-node, multi-node ]
NumberOfNodes: !If [ SingleNode, !Ref 'AWS::NoValue', !Ref RedshiftNodeCount ] #'
DBName: !Sub ${DatabaseName}
IamRoles:
- !GetAtt RawDataBucketAccessRole.Arn
MasterUserPassword: !Ref MasterUserPassword
MasterUsername: !Ref MasterUsername
PubliclyAccessible: true
NodeType: dc1.large
Port: 5439
VpcSecurityGroupIds:
- !Sub ${RedshiftSecurityGroup}
PreferredMaintenanceWindow: Sun:09:15-Sun:09:45
DataBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub ${DataBucketName}
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Redshift Stack",
"Resources": {
"DataBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "${DataBucketName}"
}
},
"RedshiftCluster": {
"Properties": {
"NodeType": "dc1.large",
"Port": 5439,
"VpcSecurityGroupIds": [
"${RedshiftSecurityGroup}"
],
"ClusterSubnetGroupName": "RedshiftClusterSubnetGroup",
"ClusterType": [
"SingleNode",
"single-node",
"multi-node"
],
"MasterUserPassword": "MasterUserPassword",
"MasterUsername": "MasterUsername",
"PreferredMaintenanceWindow": "Sun:09:15-Sun:09:45",
"NumberOfNodes": [
"SingleNode",
"AWS::NoValue",
"RedshiftNodeCount"
],
"DBName": "${DatabaseName}",
"IamRoles": [
"RawDataBucketAccessRole.Arn"
],
"PubliclyAccessible": true
},
"Type": "AWS::Redshift::Cluster"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: Redshift Stack
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup
ClusterType: !If [ SingleNode, single-node, multi-node ]
NumberOfNodes: !If [ SingleNode, !Ref 'AWS::NoValue', !Ref RedshiftNodeCount ] #'
DBName: !Sub ${DatabaseName}
IamRoles:
- !GetAtt RawDataBucketAccessRole.Arn
MasterUserPassword: !Ref MasterUserPassword
MasterUsername: !Ref MasterUsername
PubliclyAccessible: true
NodeType: dc1.large
Port: 5439
VpcSecurityGroupIds:
- !Sub ${RedshiftSecurityGroup}
PreferredMaintenanceWindow: Sun:09:15-Sun:09:45
KmsKeyId: wewewewewefsa
DataBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub ${DataBucketName}
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Redshift Stack",
"Resources": {
"RedshiftCluster": {
"Type": "AWS::Redshift::Cluster",
"Properties": {
"IamRoles": [
"RawDataBucketAccessRole.Arn"
],
"PubliclyAccessible": true,
"NodeType": "dc1.large",
"Port": 5439,
"VpcSecurityGroupIds": [
"${RedshiftSecurityGroup}"
],
"PreferredMaintenanceWindow": "Sun:09:15-Sun:09:45",
"ClusterType": [
"SingleNode",
"single-node",
"multi-node"
],
"NumberOfNodes": [
"SingleNode",
"AWS::NoValue",
"RedshiftNodeCount"
],
"DBName": "${DatabaseName}",
"MasterUserPassword": "MasterUserPassword",
"MasterUsername": "MasterUsername",
"KmsKeyId": "wewewewewefsa",
"ClusterSubnetGroupName": "RedshiftClusterSubnetGroup"
}
},
"DataBucket": {
"Properties": {
"BucketName": "${DataBucketName}"
},
"Type": "AWS::S3::Bucket"
}
}
}