Redshift clusters should be encrypted

Description

Ensure that AWS RedShift clusters are encrypted.

Rationale

Encrypting Redshift clusters protects your sensitive data from unauthorized access.

Remediation

From the console

Follow the Changing cluster encryption docs to ensure your clusters are encrypted.

From the command line

  1. Run describe-clusters with your cluster identifier.

     aws redshift describe-clusters \
         --cluster-identifier cluster-name
    
  2. Run create-cluster using the configuration details returned in step 1 along with the encrypted flag.

     aws redshift create-cluster \
         --cluster-identifier cluster-name \
         --encrypted
    
  3. Run describe-cluster with a query filter to expose the new endpoint address.

     aws redshift describe-clusters \
         --cluster-identifier cluster-name \
         --query 'Clusters[*].Endpoint.Address'
    
  4. Use the cluster endpoint URL with the Amazon Redshift Unload/Copy tool.

  5. Update your encrypted Redshift cluster configuration with the new Redshift cluster endpoint URL.

  6. Once the endpoint is changed, run delete-cluster to remove the old unencrypted cluster.

     aws redshift delete-cluster \
         --cluster-identifier old-cluster \
         --final-cluster-snapshot-identifier old-cluster-finalsnapshot
    
PREVIEWING: may/unit-testing