Skip to content

encryption-customer-key

Default Severity: high

Explanation

Redshift clusters that contain sensitive data or are subject to regulation should be encrypted at rest to prevent data leakage should the infrastructure be compromised.

Possible Impact

Data may be leaked if infrastructure is compromised

Suggested Resolution

Enable encryption using CMK

Insecure Example

The following example will fail the aws-redshift-encryption-customer-key check.

 resource "aws_redshift_cluster" "bad_example" {
   cluster_identifier = "tf-redshift-cluster"
   database_name      = "mydb"
   master_username    = "foo"
   master_password    = "Mustbe8characters"
   node_type          = "dc1.large"
   cluster_type       = "single-node"
 }

Secure Example

The following example will pass the aws-redshift-encryption-customer-key check.

 resource "aws_kms_key" "redshift" {
    enable_key_rotation = true
 }

 resource "aws_redshift_cluster" "good_example" {
   cluster_identifier = "tf-redshift-cluster"
   database_name      = "mydb"
   master_username    = "foo"
   master_password    = "Mustbe8characters"
   node_type          = "dc1.large"
   cluster_type       = "single-node"
   encrypted          = true
   kms_key_id         = aws_kms_key.redshift.key_id
 }