Unecrypted AWS Redshift using CMK High

Unencrypted AWS Redshift cluster using CMK is detected. Make sure that AWS Redshift cluster is properly encrypted using CMK.

Detector ID
terraform/unencrypted-redshift-cmk-terraform@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1resource "aws_redshift_cluster" "test" {
2  # Noncompliant: All data stored in the Redshift cluster is not encrypted at rest.
3  cluster_identifier = "redshift-defaults-only"
4  database_name = "mydb"
5  node_type = "dc2.large"
6  master_password = "Test1234"
7  master_username = "test"
8  skip_final_snapshot = true
9  kms_key_id = aws_kms_key.test.arn
10  publicly_accessible= "false"
11  cluster_subnet_group_name="subnet-ebd9cead"
12  logging {
13    enable = "true"
14  }
15  enhanced_vpc_routing = true
16}

Compliant example

1resource "aws_redshift_cluster" "test" {
2  cluster_identifier = "redshift-defaults-only"
3  database_name = "mydb"
4  node_type = "dc2.large"
5  master_password = "Test1234"
6  master_username = "test"
7  # Compliant: All data stored in the Redshift cluster is securely encrypted at rest.
8  encrypted = true
9  skip_final_snapshot = true
10  kms_key_id = aws_kms_key.test.arn
11  publicly_accessible= "false"
12  cluster_subnet_group_name="subnet-ebd9cead"
13  logging {
14    enable = "true"
15  }
16  enhanced_vpc_routing = true
17}