encryption-customer-key
Default Severity: high
Explanation
Redshift clusters that contain sensitive data or are subject to regulation should be encrypted at rest to prevent data leakage should the infrastructure be compromised.
Possible Impact
Data may be leaked if infrastructure is compromised
Suggested Resolution
Enable encryption using CMK
Insecure Example
The following example will fail the aws-redshift-encryption-customer-key check.
resource "aws_redshift_cluster" "bad_example" {
cluster_identifier = "tf-redshift-cluster"
database_name = "mydb"
master_username = "foo"
master_password = "Mustbe8characters"
node_type = "dc1.large"
cluster_type = "single-node"
}
Secure Example
The following example will pass the aws-redshift-encryption-customer-key check.
resource "aws_kms_key" "redshift" {
enable_key_rotation = true
}
resource "aws_redshift_cluster" "good_example" {
cluster_identifier = "tf-redshift-cluster"
database_name = "mydb"
master_username = "foo"
master_password = "Mustbe8characters"
node_type = "dc1.large"
cluster_type = "single-node"
encrypted = true
kms_key_id = aws_kms_key.redshift.key_id
}