Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Redshift Automated Snapshot Retention Period

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: RS-019

Ensure that the automated snapshot retention period set for your AWS Redshift clusters is a positive number, meaning that automated backups are enabled for the clusters. The retention period represents the number of days to retain automated snapshots. If the retention period is set to zero, automated snapshots are disabled for your Redshift clusters. You can still create manual backups when automated snapshots are disabled (retention period set to 0), however, automated actions are more reliable than manual processes, helping you to improve Redshift data protection and recoverability.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When the retention period is set to a positive number within a Redshift cluster configuration, the automated snapshots are enabled for that cluster. Cloud Conformity strongly recommends to automate backups for data recovery whenever possible in order to avoid unexpected failures.


Audit

To determine if your Amazon Redshift clusters are taking snapshots of their data automatically (i.e. automated snapshot retention period is set to a positive number), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.

03 In the left navigation panel, under Redshift Dashboard, click Clusters.

04 Choose the Redshift cluster that you want to examine then click on its identifier/name link, listed in the Cluster column.

05 On the selected cluster configuration tab, in the Backup, Audit Logging, and Maintenance section, verify the Automated Snapshot Retention Period attribute value. If the value is set to 0 (zero), the selected Amazon Redshift cluster is not taking automated snapshots, therefore the cluster backup strategy is not automated and fully reliable.

06 Repeat step no. 4 and 5 to verify the automated snapshot retention period for other Redshift clusters available in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-clusters command (OSX/Linux/UNIX) using custom query filters to list the identifiers (names) of all AWS Redshift clusters currently available in the selected region:

aws redshift describe-clusters
	--region us-east-1
	--output table
	--query 'Clusters[*].ClusterIdentifier'

02 The command output should return a table with the requested cluster names:

--------------------------
|    DescribeClusters    |
+------------------------+
|  cc-redshift-cluster   |
|  cc-srdb-cluster       |
+------------------------+

03 Run again describe-clusters command (OSX/Linux/UNIX) using the name of the cluster that you want to examine as identifier and custom query filters to get the current value (number) set for the automated snapshot retention period attribute:

aws redshift describe-clusters
	--region us-east-1
	--cluster-identifier cc-redshift-cluster
	--query 'Clusters[*].AutomatedSnapshotRetentionPeriod'

04 The command should return the number of days set to retain automated snapshots for the selectedoutput cluster:

[
   0
]

If the returned value is 0 (zero), the automated snapshots are disabled for the selected Amazon Redshift cluster, therefore the cluster backup strategy is not reliable.

05 Repeat step no. 3 and 4 to verify the automated snapshot retention period for other AWS Redshift clusters available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire audit process for other regions.

Remediation / Resolution

To modify your Amazon Redshift clusters configuration in order to enable automated snapshots (i.e. set automated snapshot retention period to a positive number), perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.

03 In the left navigation panel, under Redshift Dashboard, click Clusters.

04 Choose the Redshift cluster that you want to modify then click on its identifier link listed in the Cluster column.

05 On the selected cluster configuration tab, click the Cluster dropdown button from the dashboard top menu and click Modify.

06 Inside the Modify cluster dialog box, select a number between 1 and 35 from the Automated snapshot retention period dropdown list to enable automated backups and set the number of days to retain automated snapshots for the selected Redshift cluster. Leave the rest of the settings unchanged and click Modify to apply the configuration changes.

07 Repeat steps no. 4 - 6 to set the automated snapshot retention period for other Redshift clusters provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run modify-cluster command (OSX/Linux/UNIX) using the name of the cluster that you want to modify as identifier (see Audit section part II to identify the right Redshift resource) to enable automated snapshots for the selected cluster (--automated-snapshot-retention-period attribute must use a value between 1 and 35, included):

aws redshift modify-cluster
	--region us-east-1
	--cluster-identifier cc-redshift-cluster
	--automated-snapshot-retention-period 7

02 If successful, the command output should return the new configuration metadata for the selected AWS Redshift cluster:

{
    "Cluster": {
        "PubliclyAccessible": true,
        "NumberOfNodes": 2,
        "PendingModifiedValues": {},
        "VpcId": "vpc-c8756ca8",
        "ClusterVersion": "1.0",
        "Tags": [],
        "AutomatedSnapshotRetentionPeriod": 7,

        ...

        "AllowVersionUpgrade": true,
        "ClusterSubnetGroupName": "default",
        "EnhancedVpcRouting": false,
        "ClusterIdentifier": "cc-redshift-cluster",
        "AvailabilityZone": "us-east-1a",
        "NodeType": "ds1.xlarge",
        "Encrypted": false,
        "ClusterStatus": "available"
    }
}

03 Repeat step no. 1 and 2 to set the automated snapshot retention period for other Redshift clusters created in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 for other regions.

References

Publication date Sep 22, 2017