Summary Prerequisites and limitations Architecture Tools Epics Related resources Attachments

Verify that new Amazon Redshift clusters launch in a VPC

Created by Priyanka Chaudhary (AWS)

Summary

This pattern provides an Amazon Web Services (AWS) CloudFormation template that automatically notifies you when an Amazon Redshift cluster is launched outside a virtual private cloud (VPC).

Amazon Redshift is a fully managed, petabyte-scale, cloud-based data warehouse product. It is designed for large-scale dataset storage and analysis. It is also used to perform large-scale database migrations. Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources such as Amazon Redshift clusters in a virtual network that you define.

The security control provided with this pattern monitors Amazon Redshift API calls in AWS CloudTrail logs, and initiates an Amazon CloudWatch Events event for the CreateCluster and RestoreFromClusterSnapshot APIs. When the event detects one of these APIs, it calls AWS Lambda, which runs a Python script. The Python function analyzes the CloudWatch event. If an Amazon Redshift cluster is created or restored from a snapshot and appears outside the Amazon VPC network, the function sends an Amazon Simple Notification Service (Amazon SNS) notification to the user with the relevant information: the Amazon Redshift cluster name, AWS Region, AWS account, and Amazon Resource Name (ARN) for Lambda that this notification is sourced from.

Prerequisites and limitations

Prerequisites

An active AWS account.
A VPC with a cluster subnet group, and an associated security group.

Limitations

The AWS CloudFormation template supports the CreateCluster and RestoreFromClusterSnapshot actions (new clusters) only. It does not detect existing Amazon Redshift clusters that were created outside a VPC.
This security control is regional. You must deploy it in each AWS Region you want to monitor.

Architecture

Target architecture

Verifying that new Amazon Redshift clusters launch in a VPC

Automation and scale

If you are using AWS Organizations, you can use AWS Cloudformation StackSets to deploy this template in multiple accounts that you want to monitor.

Tools

AWS services

AWS CloudFormation – AWS CloudFormation helps you model and set up your AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle. You can use a template to describe your resources and their dependencies, and launch and configure them together as a stack, instead of managing resources individually.
AWS CloudTrail – AWS CloudTrail helps you implement governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.
Amazon CloudWatch Events – Amazon CloudWatch Events delivers a near real-time stream of system events that describe changes in AWS resources.
AWS Lambda – AWS Lambda is a compute service that supports running code without provisioning or managing servers. AWS Lambda runs your code only when needed and scales automatically, from a few requests per day to thousands per second.
Amazon Redshift – Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. Amazon Redshift is integrated with your data lake, which enables you to use your data to acquire new insights for your business and customers.
Amazon S3 – Amazon Simple Storage Service (Amazon S3)is a highly scalable object storage service that you can use for a wide range of storage solutions, including websites, mobile applications, backups, and data lakes.
Amazon SNS – Amazon Simple Notification Service (Amazon SNS) coordinates and manages the delivery or sending of messages between publishers and clients, including web servers and email addresses.

Code

This pattern includes the following attachments:

RedshiftMustBeInVPC.zip – The Lambda code for the security control.
RedshiftMustBeInVPC.yml – The CloudFormation template that sets up the event and Lambda function.

To use these files, follow the instructions in the next section.

Epics

Task	Description	Skills required
Define the S3 bucket.	On the Amazon S3 console, choose or create an S3 bucket to host the Lambda code .zip file. This S3 bucket must be in the same AWS Region as the Amazon Redshift cluster that you want to monitor. An S3 bucket name is globally unique, and the namespace is shared by all AWS accounts. The S3 bucket name cannot include leading slashes.	Cloud architect
Upload the Lambda code.	Upload the Lambda code (`RedshiftMustBeInVPC.zip` file) provided in the Attachments section to the S3 bucket.	Cloud architect

Task	Description	Skills required
Launch the CloudFormation template.	Open the AWS CloudFormation console in the same AWS Region as your S3 bucket and deploy the attached template (`RedshiftMustBeInVPC.yml`). For more information about deploying AWS CloudFormation templates, see Creating a stack on the AWS CloudFormation console in the CloudFormation documentation.	Cloud architect
Complete the parameters in the template.	When you launch the template, you'll be prompted for the following information: S3 bucket: Specify the bucket that you created or selected in the first epic. This is where you uploaded the attached Lambda code (.zip file). S3 key: Specify the location of the Lambda .zip file in your S3 bucket (for example, filename.zip or controls/filename.zip). Do not include leading slashes. Notification email: Provide an active email address where you want to receive Amazon SNS notifications. Lamba logging level: Specify the logging level and frequency for the Lambda function. Use Info to log detailed informational messages on progress, Error for error events that would still allow the deployment to continue, and Warning for potentially harmful situations.	Cloud architect

Task	Description	Skills required
Confirm the subscription.	When the CloudFormation template deploys successfully, it sends a subscription email to the email address you provided. You must confirm this email subscription to start receiving violation notifications.	Cloud architect

Related resources

Creating an S3 bucket (Amazon S3 documentation)
Uploading files to an S3 bucket (Amazon S3 documentation)
Creating a stack on the AWS CloudFormation console (AWS CloudFormation documentation)
Creating a CloudWatch Events rule that triggers on an AWS API call using AWS CloudTrail (AWS CloudTrail documentation)
Creating an Amazon Redshift cluster (Amazon Redshift documentation)

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

More patterns