Non-encrypted confidential information - Redshift Cluster
Need
Encryption of confidential information in AWS Redshift Cluster
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of aws_redshift_cluster for managing and interacting with Amazon Redshift clusters
Description
Non compliant code
resource "aws_redshift_cluster" "default" {
cluster_identifier = "tf-redshift-cluster"
database_name = "mydb"
master_username = "foo"
master_password = "Mustbe8characters"
node_type = "dc1.large"
cluster_type = "single-node"
}
This Terraform code block creates an Amazon Redshift cluster without encryption. The aws_redshift_cluster resource block defines the properties of the cluster. Here, cluster_identifier is a unique name for the cluster, database_name is the name of the initial database to be created when the cluster is created, master_username and master_password are the credentials for the master database user, node_type is the type of node to be used in the cluster, and cluster_type is the number of nodes in the cluster.
However, this code is vulnerable because it does not enable encryption for the Redshift cluster. This means that all data stored in the cluster is not encrypted, and if an unauthorized individual were to gain access to this data, they could read it without needing any sort of encryption key. This poses a serious security risk, particularly if the data stored in the cluster is sensitive.
To protect the data in the Redshift cluster, it should be encrypted using AWS Key Management Service (KMS). This can be achieved by adding the kms_key_id property to the aws_redshift_cluster resource block and setting it to the ARN of the KMS key to be used for encryption. The encrypted attribute should also be set to true.
Steps
- Enable encryption for the AWS Redshift cluster
- Modify the 'aws_redshift_cluster' resource to include the 'encrypted' attribute
- Set the 'encrypted' attribute to 'true'
- Ensure that the 'kms_key_id' attribute is also set to specify the AWS Key Management Service (KMS) key to use for encryption
Compliant code
resource "aws_kms_key" "redshift" {
description = "KMS key for redshift"
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${var.account_id}:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
POLICY
}
resource "aws_redshift_cluster" "default" {
cluster_identifier = "tf-redshift-cluster"
database_name = "mydb"
master_username = "foo"
master_password = "Mustbe8characters"
node_type = "dc1.large"
cluster_type = "single-node"
encrypted = true
kms_key_id = aws_kms_key.redshift.arn
}
The above code fixes the vulnerability by enabling encryption for the AWS Redshift cluster.
The aws_kms_key resource block creates a new AWS KMS key that will be used to encrypt the Redshift cluster. The policy attached to the key allows all KMS actions for the root user of the AWS account.
In the aws_redshift_cluster resource block, the encrypted attribute is set to true to enable encryption. The kms_key_id attribute is set to the ARN of the newly created KMS key. This means that the Redshift cluster will be encrypted using this key.
This ensures that all data stored in the Redshift cluster is encrypted and can only be accessed by entities that have the necessary permissions to use the KMS key. This significantly reduces the risk of unauthorized access to the data.