Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Redshift Parameter Group Require SSL

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: RS-007

Ensure that all the parameter groups associated with your Amazon Redshift clusters have the require_ssl parameter enabled in order to keep your data secure in transit by encrypting the connection between the clients (applications) and your warehouse clusters.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When Redshift clusters are not configured to require Secure Sockets Layer (SSL) connections, the communication between the clients and these clusters is vulnerable to eavesdropping and man-in-the-middle (MITM) attacks. Cloud Conformity strongly recommends enabling SSL for your clusters front-end connection when dealing with sensitive or private data.

Note: For this rule, Cloud Conformity assumes that your Amazon Redshift clusters are not associated with the default parameter group created automatically by AWS, as the default parameter group cannot be modified to update the require_ssl parameter value.

Audit

To determine if your Amazon Redshift non-default parameter groups have the require_ssl parameter enabled, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.

03 In the left navigation panel, under Redshift Dashboard, click Clusters.

04 Choose the Redshift cluster that you want to examine then click on its identifier (name) link:

Choose the Redshift cluster that you want to examine then click on its identifier (name) link

listed in the Cluster column.

05 On the selected cluster Configuration tab, inside the Cluster Properties section, click on the Cluster Parameter Group value link, e.g.

click on the Cluster Parameter Group value link

to access the non-default parameter group configuration page.

06 On the Parameters tab, verify the require_ssl parameter value:

On the Parameters tab, verify the require_ssl parameter value

If the current value is set to false, the selected Amazon Redshift cluster is not configured to use SSL to secure the connection between the client and cluster, therefore your data in transit is not secured.

07 Repeat steps no. 3 - 6 to verify the parameter group configuration for other clusters provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-clusters command (OSX/Linux/UNIX) using custom query filters to list the identifiers (names) of all Redshift clusters currently available in the selected region:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws redshift describe-clusters
	--region us-east-1
	--output table
	--query 'Clusters[*].ClusterIdentifier'

02 The command output should return a table with the requested cluster names:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
----------------------
|  DescribeClusters  |
+--------------------+
|  cc-cluster        |
|  ccd-cluster       |
|  ccx-cluster       |
+--------------------+

03 Run again describe-clusters command (OSX/Linux/UNIX) using the name of cluster that you want to examine as identifier and the necessary query filters to expose the parameter group name associated with the cluster:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws redshift describe-clusters
	--region us-east-1
	--cluster-identifier cc-cluster
	--query 'Clusters[*].ClusterParameterGroups[*].ParameterGroupName[]'

04 The command output should return the parameter group identifier requested:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
[
    "cc-cluster-redshift-param-group"
]

05 Run describe-cluster-parameters command (OSX/Linux/UNIX) using the name of the Redshift cluster parameter group returned at the previous step to list its parameters metadata:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws redshift describe-cluster-parameters
	--region us-east-1
	--parameter-group-name cc-cluster-redshift-param-group

06 The command output should return information about each parameter available within the selected parameter group:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
[
    "Parameters": [

        ...

        {
            "Description": "This parameter applies a ... ",
            "DataType": "string",
            "IsModifiable": true,
            "Source": "engine-default",
            "ParameterValue": "default",
            "ParameterName": "query_group",
            "ApplyType": "static"
        },
        {
            "Description": "require ssl for all database connections",
            "DataType": "boolean",
            "IsModifiable": true,
            "AllowedValues": "true,false",
            "Source": "user",
            "ParameterValue": "false",
            "ParameterName": "require_ssl",
            "ApplyType": "static"
        },
        {
            "Description": "Sets the schema search order for ... ",
            "DataType": "string",
            "IsModifiable": true,
            "Source": "engine-default",
            "ParameterValue": "$user, public",
            "ParameterName": "search_path",
            "ApplyType": "static"
        }

        ...

    ]
}

If the require_ssl parameter, identified in the command output by the key pair "ParameterName" : "require_ssl", has the value set to false, (i.e "ParameterValue" : "false" key pair), the Amazon Redshift cluster associated with the selected parameter group is not using SSL to secure the connection between the client and the cluster, therefore your data in transit is not secured.

07 Repeat steps no. 3 - 6 to verify the parameter group configuration for other Redshift clusters provisioned in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the audit process for other regions.

Remediation / Resolution

To enable require_ssl parameter within your Amazon Redshift non-default parameter groups in order to use SSL for the client-cluster connection, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.

03 In the left navigation panel, under Redshift Dashboard, click Parameter Groups.

04 Select the non-default Redshift parameter group that you want to modify then click on the Edit Parameters button from the dashboard top menu.

05 On the parameter group configuration page select the Parameters tab.

06 Identify the require_ssl parameter and change its current value from false to true:

Identify the require_ssl parameter and change its current value from false to true

in order to enable SSL for the associated cluster.

07 Click Save Changes to apply the changes to the selected parameter group.

08 To take effect immediately, the Amazon Redshift cluster associated with the selected parameter group must be rebooted. To reboot a cluster, perform the following actions:

  1. In the navigation panel, under Redshift Dashboard, click Clusters.
  2. Choose the cluster that you want to reboot then click on its identifier link available in the Cluster column.
  3. On the configuration page, click the Cluster dropdown button from the dashboard top menu and select Reboot.
  4. Within Reboot Cluster dialog box, click Continue to reboot the selected AWS Redshift cluster. The cluster status should change now to rebooting.
    IMPORTANT: The reboot process can take several minutes. During this time your Redshift cluster becomes unavailable.

09 Repeat steps no. 4 - 8 to enable the require_ssl parameter for other non-default parameter groups created in the current region.

10 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run modify-cluster-parameter-group command (OSX/Linux/UNIX) using the name of the non-default parameter group that you want to modify (see Audit section part II to identify the right one) to enable the require_ssl parameter:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws redshift modify-cluster-parameter-group
	--region us-east-1
	--parameter-group-name cc-cluster-redshift-param-group
	--parameters ParameterName=require_ssl,ParameterValue=true

02 If successful, the command output should return the modified parameter group name and its status:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
{
    "ParameterGroupStatus": "Your parameter group has been updated.
     Updates to dynamic parameters will be applied immediately.
     Updates to static parameters will be applied when you reboot
     the associated Clusters.",
    "ParameterGroupName": "cc-cluster-redshift-param-group"
}

03 Now run reboot-cluster command (OSX/Linux/UNIX) using the name of the Redshift cluster associated with the modified parameter group (see Audit section part II to identify the associated cluster) to reboot the cluster so the configuration changes can take effect immediately:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws redshift reboot-cluster
	--region us-east-1
	--cluster-identifier cc-cluster

04 The command output should return the metadata of the cluster selected for reboot:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
{
    "Cluster": {
        "PubliclyAccessible": true,
        "MasterUsername": "ccclusteruser",
        "VpcSecurityGroups": [
            {
                "Status": "active",
                "VpcSecurityGroupId": "sg-58dc0a22"
            }
        ],
        "NumberOfNodes": 1,
        "PendingModifiedValues": {},
        "VpcId": "vpc-2fb56548",
        "ClusterVersion": "1.0",
        "Tags": [],
        "AutomatedSnapshotRetentionPeriod": 1,
        "ClusterParameterGroups": [
            {
                "ParameterGroupName": "cc-cluster-redshift-param-group",
                "ParameterApplyStatus": "pending-reboot"
            }
        ],
        "DBName": "ccclusterdb",
        "PreferredMaintenanceWindow": "mon:04:30-mon:05:00",
        "Endpoint": {
            "Port": 5439,
            "Address": "cc-cluster.cmfpsgvyjhfo.us-east-1 ... "
        },
        "IamRoles": [],
        "AllowVersionUpgrade": true,
        "ClusterCreateTime": "2016-10-08T06:25:25.668Z",
        "ClusterSubnetGroupName": "default",
        "ClusterSecurityGroups": [],
        "ClusterIdentifier": "cc-cluster",
        "AvailabilityZone": "us-east-1a",
        "NodeType": "dc1.large",
        "Encrypted": false,
        "ClusterStatus": "rebooting"
    }
}

05 Repeat steps no. 1 - 4 to enable the require_ssl parameter for other non-default parameter groups created in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 for other regions.

References

Publication date Oct 10, 2016

Related Redshift rules