Amazon Redshift

Redshift Parameter Group SSL Required

Risk Level: Low

Description

This plugin ensures the AWS Redshift non-default parameter group associated with the Redshift cluster requires SSL connection. SSL connection ensures that data is secure while being transferred.

About the Service

Amazon RedShift: Amazon RedShift is a data warehouse with fast and secure data analyzing features. It is a powerful and robust service powered by Amazon to run SQL queries and even deploy ML (Machine Learning) models on the data. For additional monitoring benefits, it also provides access to real time operational analytics.

Impact

It is highly recommended to properly encrypt Redshift clusters with SSL connection.  In the absence of a proper SSL connection for encryption, the data will remain unaffected. This can provide complete readability to hackers in the case of data exposure while the data is in transit.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon RedShift Console. You can use this link (https://console.aws.amazon.com/redshiftv2/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Clusters.
  4. A list of clusters will be displayed. Select the cluster you want to examine by clicking on it’s Cluster Name.
  5. Move to the Properties tab.
  6. In the Database Configurations, click on the Parameter group specified. 
  7. Move to the Parameters tab.
  8. Next, check the value of require_ssl value. If it is set to false, the vulnerability exists.
  9. Repeat steps for all the clusters you wish to examine.

Steps for Remediation

Update Redshift parameter groups to have require-ssl parameter set to true.

  1. Log In to your AWS Console.
  2. Open the Amazon RedShift Console. You can use this link (https://console.aws.amazon.com/redshiftv2/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Clusters.
  4. A list of clusters will be displayed. Select the vulnerable cluster by clicking on it’s Cluster Name.
  5. Move to the Properties tab.
  6. In the Database Configurations, click on the Parameter group specified. 
  7. Move to the Parameters tab.
  8. Change the value of require_ssl to “true”. Click on Save Changes.
  9. Repeat steps for all the vulnerable clusters.