Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Cross-Region Snapshots

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Configure Amazon Redshift to automatically copy your automated and manual snapshots to another AWS cloud region. This feature enables you to safely copy your Redshift backup data across multiple AWS regions.

This rule can help you work with the AWS Well-Architected Framework.

Reliability

With cross-region snapshots, Amazon Redshift provides a centralized solution to store copies of your data across multiple AWS regions, helping you meet business continuity, disaster recovery, and compliance requirements. You can enable this feature for each Redshift cluster provisioned within your AWS account and configure where to copy snapshots and how long to keep copied snapshots in the destination region.


Audit

To determine if cross-region snapshots are enabled for your Amazon Redshift clusters, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Redshift console at https://console.aws.amazon.com/redshiftv2/.

03 In the navigation panel, under Redshift Dashboard, choose Clusters.

04 Click on the name (link) of the cluster that you want to examine, listed in the Cluster column.

05 Choose the Backup tab to access the backup configuration information available for the selected Amazon Redshift resource.

06 In the Backup details section, check the Cross-region snapshots configuration status. If the Cross-region snapshots status is set to Disabled, cross-region snapshots are not enabled for the selected Amazon Redshift cluster.

07 Repeat steps no. 4 – 6 for each Redshift cluster provisioned within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-clusters command (OSX/Linux/UNIX) with custom query filters to list the identifiers (names) of all the Amazon Redshift clusters available in the selected AWS cloud region:

aws redshift describe-clusters
  --region us-east-1
  --output table
  --query 'Clusters[*].ClusterIdentifier'

02 The command output should return a table with the requested cluster name(s):

-------------------------
|   DescribeClusters    |
+-----------------------+
|  cc-web-data-cluster  |
|  cc-project5-cluster  |
+-----------------------+

03 Run describe-clusters command (OSX/Linux/UNIX) using the name of the Amazon Redshift cluster that you want to examine as the identifier parameter and custom query filters to describe the Cross-Region Snapshot Copy feature configuration, available for the selected cluster:

aws redshift describe-clusters
  --region us-east-1
  --cluster-identifier cc-web-data-cluster
  --query 'Clusters[*].ClusterSnapshotCopyStatus'

04 The command output should return the requested configuration information:

[]

If the describe-clusters command output returns an empty array (i.e. []), as shown in the example above, the Cross-Region Snapshot Copy feature is not enabled for the selected Amazon Redshift cluster.

05 Repeat steps no. 3 and 4 for each Redshift cluster available in the selected AWS cloud region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other AWS cloud regions.

Remediation / Resolution

To enable and configure cross-region snapshots for your Amazon Redshift clusters in order to automatically copy your cluster snapshots to another AWS region, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Redshift console at https://console.aws.amazon.com/redshiftv2/.

03 In the navigation panel, under Redshift Dashboard, choose Clusters.

04 Click on the name (link) of the cluster that you want to reconfigure, listed in the Cluster column.

05 Click on the Actions dropdown menu from console top menu and select Configure cross-region snapshot from the Backup and disaster recovery list.

06 Inside the Configure cross-region snapshot configuration window, perform the following operations:

  1. For Copy snapshots, choose Yes to enable the feature.
  2. Select the destination AWS cloud region from the Destination AWS Region dropdown list.
  3. From the Automated snapshot retention period (days) dropdown list, choose the number of days for which you want automated snapshots to be retained in the destination (target) AWS region before they are deleted.
  4. From the Manual snapshot retention period dropdown list, choose the value that represents the number of days for which you want manual snapshots to be retained in the destination AWS region before they are deleted. If you choose Custom value, provide a retention period between 1 to 3653 days.
  5. Choose Save to apply the changes.

07 Repeat steps no. 4 – 6 to enable and configure cross-region snapshots for other Redshift clusters provisioned within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the remediation process for other AWS regions.

Using AWS CLI

01 Run enable-snapshot-copy command (OSX/Linux/UNIX) using the name of the Amazon Redshift cluster that you want to reconfigure as the identifier parameter, to enable the automatic copy of snapshots from one AWS region to another (in this case to US West – N. California region), for the selected Redshift cluster:

aws redshift enable-snapshot-copy
  --region us-east-1
  --cluster-identifier cc-web-data-cluster
  --destination-region us-west-1
  --retention-period 7
  --manual-snapshot-retention-period 14

02 The command output should return the metadata available for the reconfigured Amazon Redshift cluster:

{
  "Cluster": {
    "ClusterIdentifier": "cc-web-data-cluster",
    "NodeType": "dc2.large",
    "ClusterStatus": "available",
    "ClusterAvailabilityStatus": "Available",
    "MasterUsername": "project5user",
    "DBName": "project5db",
    "Endpoint": {
      "Address": "cc-web-data-cluster.abcd1234abcd.us-east-1.redshift.amazonaws.com",
      "Port": 5439
    },
    "ClusterCreateTime": "2021-01-27T09:00:00.000000+00:00",
    "AutomatedSnapshotRetentionPeriod": 1,
    "ManualSnapshotRetentionPeriod": -1,
    "ClusterSecurityGroups": [],
    "VpcSecurityGroups": [
      {
        "VpcSecurityGroupId": "sg-abcdabcd",
        "Status": "active"
      }
    ],
    "ClusterParameterGroups": [
      {
        "ParameterGroupName": "default.redshift-1.0",
        "ParameterApplyStatus": "in-sync"
      }
    ],
    "ClusterSubnetGroupName": "default",
    "VpcId": "vpc-abcd1234",
    "AvailabilityZone": "us-east-1c",
    "PreferredMaintenanceWindow": "sun:00:00-sun:00:30",
    "PendingModifiedValues": {},
    "ClusterVersion": "1.0",
    "AllowVersionUpgrade": true,
    "NumberOfNodes": 2,
    "PubliclyAccessible": false,
    "Encrypted": false,
    "ClusterSnapshotCopyStatus": {
      "DestinationRegion": "us-west-1",
      "RetentionPeriod": 7,
      "ManualSnapshotRetentionPeriod": 14
    },
    "Tags": [],
    "EnhancedVpcRouting": false,
    "IamRoles": [],
    "MaintenanceTrackName": "current",
    "DeferredMaintenanceWindows": [],
    "NextMaintenanceWindowStartTime": "2021-01-31T00:00:00+00:00"
  }
}

03 Repeat steps no. 1 and 2 to enable and configure cross-region snapshots for other Redshift clusters provisioned in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 for other AWS regions.

References

Publication date Feb 6, 2021