Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Sufficient Cross-Region Snapshot Retention Period

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon Redshift clusters are configured with a sufficient retention period for cross-region snapshots in order to fulfill internal compliance requirements. The retention period represents the number of days that you want automated snapshots to be retained in the destination AWS region. Before running this conformity rule by the Trend Cloud One™ – Conformity engine, you have to specify your own cross-region snapshot retention period (manual and automatic) in the conformity rule settings.

This rule can help you work with the AWS Well-Architected Framework.

Reliability

With cross-region snapshots, Amazon Redshift provides a centralized solution to store copies of your data across multiple AWS regions, helping you meet business continuity, disaster recovery, and compliance requirements. A sufficient (optimal) snapshot retention period allows more time for your Amazon Redshift clusters to recover data in the destination AWS region. If you configure a smaller number of days to retain snapshots in the destination region, any automated snapshots that were taken before the new retention period are deleted. If you configure a larger number of days to retain snapshots in the destination region, the retention period for existing automated snapshots is extended.

Audit

To determine if your Amazon Redshift clusters have a sufficient retention period configured for cross-region snapshots, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Redshift console at https://console.aws.amazon.com/redshiftv2/.

03 In the main navigation panel, under Provisioned clusters dashboard, choose Clusters.

04 Click on the name (link) of the Redshift data warehouse cluster that you want to examine.

05 Select the Maintenance tab to access the maintenance configuration settings available for the selected cluster.

06 Check the Cross-region snapshot retention period attribute values available in the Backup details section to determine the retention period configured for manual and automatic cross-region snapshots. If there is no Cross-region snapshot retention periodattribute available in this section, the cross-region snapshots are disabled for the selected cluster, therefore you can follow the steps outlined in this conformity rule to enable cross-region snapshots, otherwise continue the Audit process with the next step.

07 Sign in to your Trend Cloud One™ – Conformity account, access the Sufficient Cross-Region Snapshot Retention Period rule settings and compare the retention period values found at the previous step against the ones set within the rule**configuration. If the retention period configured for each type of cross-region snapshot is less than the one defined in your Conformity account, the selected Amazon Redshift cluster does not have a sufficient data retention period configured for cross-region snapshots.

08 Repeat steps no. 4 – 7 for each Redshift cluster provisioned within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-clusters command (OSX/Linux/UNIX) with custom query filters to list the identifiers (names) of all the Amazon Redshift clusters available in the selected AWS cloud region: 

aws redshift describe-clusters
  --region us-east-1
  --output table
  --query 'Clusters[*].ClusterIdentifier'

02 The command output should return a table with the requested cluster name(s): 

--------------------------
|    DescribeClusters    |
+------------------------+
|  cc-redshift-cluster   |
|  cc-web-data-cluster   |
|  cc-analytics-cluster  |
+------------------------+

03 Run describe-clusters command (OSX/Linux/UNIX) using the name of the Amazon Redshift cluster that you want to examine as the identifier parameter and custom query filters to describe the retention period configured for each type of cross-region snapshot, configured for the selected cluster: 

aws redshift describe-clusters
  --region us-east-1
  --cluster-identifier cc-redshift-cluster
  --query 'Clusters[*].ClusterSnapshotCopyStatus.{"AutomaticSnapshotRetentionPeriod":RetentionPeriod,"ManualSnapshotRetentionPeriod":ManualSnapshotRetentionPeriod}'

04 If the describe-clusters command returns an empty array (i.e. []), the cross-region snapshots are not enabled for the selected cluster, therefore you can follow the steps outlined in this conformity rule to enable cross-region snapshots. Otherwise, the command output should return the requested configuration information: 

[
	{
		"AutomaticSnapshotRetentionPeriod": 1,
		"ManualSnapshotRetentionPeriod": 3
	}
]

05 Sign in to your Trend Cloud One™ – Conformity account, access the Sufficient Cross-Region Snapshot Retention Period rule settings, and compare the retention period values returned at the previous step against the ones set within the conformity rule configuration. If the retention period configured for each type of cross-region snapshot is less than the one defined in your Conformity account, the selected Amazon Redshift cluster does not have a sufficient data retention period configured for cross-region snapshots.

06 Repeat steps no. 3 – 5 for each Redshift cluster available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the Audit process for other AWS regions.

Remediation / Resolution

To reconfigure your Amazon Redshift clusters in order to set up a sufficient and compliant data retention period for cross-region snapshots, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Sufficient Cross-Region Snapshot Retention Period",
	"Parameters": {
		"ClusterName": {
			"Default": "cc-redshift-cluster",
			"Description": "Redshift cluster name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "63",
			"AllowedPattern": "^[0-9a-zA-Z-/]*$",
			"ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens."
		},
		"ClusterNodeType": {
			"Default": "dc2.large",
			"Description": "Cluster node type",
			"Type": "String",
			"ConstraintDescription": "Must provide a valid cluster node type."
		},
		"DBName": {
			"Description": "Cluster database name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "64",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBUsername": {
			"Description": "Master username for cluster database access",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "16",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBPassword": {
			"NoEcho": "true",
			"Description": "Password for cluster database access",
			"Type": "String",
			"MinLength": "8",
			"MaxLength": "41",
			"AllowedPattern": "[a-zA-Z0-9]*",
			"ConstraintDescription": "Must contain only alphanumeric characters."
		}
	},
	"Resources": {
		"RedshiftCluster": {
			"Type": "AWS::Redshift::Cluster",
			"Properties": {
				"ClusterIdentifier": {
					"Ref": "ClusterName"
				},
				"DBName": {
					"Ref": "DBName"
				},
				"MasterUsername": {
					"Ref": "DBUsername"
				},
				"MasterUserPassword": {
					"Ref": "DBPassword"
				},
				"NodeType": {
					"Ref": "ClusterNodeType"
				},
				"ClusterType": "single-node",
				"AllowVersionUpgrade": true,
				"DestinationRegion": "us-east-2",
				"SnapshotCopyRetentionPeriod": 30
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Sufficient Cross-Region Snapshot Retention Period
	Parameters:
	ClusterName:
		Default: cc-redshift-cluster
		Description: Redshift cluster name
		Type: String
		MinLength: '1'
		MaxLength: '63'
		AllowedPattern: ^[0-9a-zA-Z-/]*$
		ConstraintDescription: Must begin with a letter and must not end with a hyphen
		or contain two consecutive hyphens.
	ClusterNodeType:
		Default: dc2.large
		Description: Cluster node type
		Type: String
		ConstraintDescription: Must provide a valid cluster node type.
	DBName:
		Description: Cluster database name
		Type: String
		MinLength: '1'
		MaxLength: '64'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
		characters.
	DBUsername:
		Description: Master username for cluster database access
		Type: String
		MinLength: '1'
		MaxLength: '16'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
		characters.
	DBPassword:
		NoEcho: 'true'
		Description: Password for cluster database access
		Type: String
		MinLength: '8'
		MaxLength: '41'
		AllowedPattern: '[a-zA-Z0-9]*'
		ConstraintDescription: Must contain only alphanumeric characters.
	Resources:
	RedshiftCluster:
		Type: AWS::Redshift::Cluster
		Properties:
		ClusterIdentifier: !Ref 'ClusterName'
		DBName: !Ref 'DBName'
		MasterUsername: !Ref 'DBUsername'
		MasterUserPassword: !Ref 'DBPassword'
		NodeType: !Ref 'ClusterNodeType'
		ClusterType: single-node
		AllowVersionUpgrade: true
		DestinationRegion: us-east-2
		SnapshotCopyRetentionPeriod: 30

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_redshift_subnet_group" "redshift-custom-subnet-group" {
	name       = "cc-custom-subnet-group"
	subnet_ids = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
}

resource "aws_redshift_cluster" "redshift-database-cluster" {
	cluster_identifier        = "cc-redshift-prod-cluster"
	node_type                 = "dc2.large"
	database_name             = "clusterdb"
	master_username           = "masterdbuser"
	master_password           = "masteruserpwd"
	cluster_type              = "single-node"
	allow_version_upgrade     = true
	cluster_subnet_group_name = aws_redshift_subnet_group.redshift-custom-subnet-group.name

	# Sufficient Cross-Region Snapshot Retention Period
	snapshot_copy {
	destination_region = "us-east-2"
	retention_period   = 30 
	}
	
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Redshift console at https://console.aws.amazon.com/redshiftv2.

03 In the main navigation panel, under Provisioned clusters dashboard, choose Clusters.

04 Click on the name of the Redshift cluster that you want to reconfigure.

05 Choose Actions from console top menu and select Configure cross-region snapshot under Backup and disaster recovery.

06 In the Configure cross-region snapshot window, perform the following operations:

  1. Ensure that Copy snapshots setting is set to Yes.
  2. Choose the number of days for which you want automatic snapshots to be retained in the destination region before they are deleted, from the Automated snapshot retention period (days) list. Make sure that you choose the same retention period as the one defined in the rule settings, configured in your Trend Cloud One™ – Conformity account.
  3. Choose the value that represents the number of days for which you want manual snapshots to be retained in the destination region before they are deleted, from the Manual snapshot retention period dropdown list. Choose the same retention period as the one defined in the rule settings, configured within your Conformity account.
  4. Choose Save to apply the changes.

07 Repeat steps no. 4 – 6 to configure the cross-region snapshot retention period for other Amazon Redshift clusters provisioned within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run modify-snapshot-copy-retention-period command (OSX/Linux/UNIX) using the name of the Amazon Redshift cluster that you want to reconfigure as the identifier parameter, to modify the number of days to retain automatic cross-region snapshots for the selected cluster, as defined in the conformity rule settings, within your Trend Cloud One™ – Conformity account: 

aws redshift modify-snapshot-copy-retention-period
  --region us-east-1
  --cluster-identifier cc-redshift-cluster
  --retention-period 30
  --query 'Cluster.ClusterSnapshotCopyStatus'

02 The command output should return the cross-region snapshot configuration for the modified cluster: 

{
	"DestinationRegion": "us-east-2",
	"RetentionPeriod": 30,
	"ManualSnapshotRetentionPeriod": 3
}

03 Run modify-snapshot-copy-retention-period command (OSX/Linux/UNIX) using the name of the Amazon Redshift cluster that you want to reconfigure as the identifier parameter, to modify the number of days to retain manual cross-region snapshots for the selected cluster, as defined in the rule settings, within your Conformity account: 

aws redshift modify-snapshot-copy-retention-period
  --region us-east-1
  --cluster-identifier cc-redshift-cluster
  --manual
  --retention-period 90
  --query 'Cluster.ClusterSnapshotCopyStatus'

04 The command output should return the new cross-region snapshot configuration for the modified Redshift cluster: 

{
	"DestinationRegion": "us-east-2",
	"RetentionPeriod": 30,
	"ManualSnapshotRetentionPeriod": 90
}

05 Repeat steps no. 1 – 4 to configure the cross-region snapshot retention period for other Redshift clusters available in the selected AWS cloud region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 for other AWS regions.

References

Publication date Jan 15, 2024

Related Redshift rules