Redshift Cluster Encryption Key Missing

This plugin ensures Redshift clusters are not configured to encrypt using missing KMS keys.

Risk Level: Medium

Description

This plugin ensures Redshift clusters are not configured to encrypt using missing KMS keys. Encryption is an important property from the security aspect. If the encryption is enabled, but the encryption key is missing, it will result in unprotected data.

About the Service

Amazon RedShift: Amazon RedShift is a data warehouse with fast and secure data analyzing features. It is a powerful and robust service powered by Amazon to run SQL queries and even deploy ML (Machine Learning) models on the data. For additional monitoring benefits, it also provides access to real time operational analytics.

Impact

It is highly recommended to encrypt your Amazon RedShift data.

In the absence of a proper AWS KMS key for encryption, the data will remain unaffected. This can provide complete readability to hackers in the case of data exposure.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon RedShift Console. You can use this link (https://console.aws.amazon.com/redshiftv2/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Clusters.
  4. A list of clusters will be displayed. Select the cluster you want to examine by clicking on it’s Cluster Name.
  5. Move to the Properties tab.
  6. If the Encryption is enabled, copy the AWS KMS Id.
  7. Move to the AWS KMS console to check if the key exists. (https://console.aws.amazon.com/kms/) Make sure you are in the same region as that of the cluster.
  8. From the left navigation pane, select the Customer-managed-keys section.
  9. Paste the key ARN copied in the search bar. If no keys are found, the vulnerability exists. 
  10. Repeat steps 3 to 9 for all the clusters you wish to examine.

Steps for Remediation

Update Redshift clusters encryption configuration to use valid KMS keys.

  1. Log In to your AWS Console.
  2. Open the Amazon RedShift Console. You can use this link (https://console.aws.amazon.com/redshiftv2/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Clusters.
  4. A list of clusters will be displayed. Select the vulnerable cluster by clicking on it’s Cluster Name.
  5. Move to the Properties tab.
  6. From the Edit drop down menu in the top-right corner, select Edit encryption option.
  7. Choose a valid KMS key Id from the drop down list and click on Save changes when done.
  8. Repeat steps 3 to 8 for all the vulnerable clusters.