Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Redshift Desired Node Type

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: RS-022

Determine if your existing Amazon Redshift cluster nodes have the desired type established by your organization based on the workload deployed. Cloud Conformity provides you with the capability to define the desired node types based on your workload requirements upon enabling this rule.

This rule can help you with the following compliance standards:

  • APRA

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

Setting limits for the type of AWS Redshift cluster nodes will help you address internal compliance requirements and prevent unexpected charges on your AWS bill.

Note 1: You can also limit your Amazon Redshift nodes to the desired instance types using AWS Organizations service by implementing your own Service Control Policy on the master account. A Service Control Policy (SCP) is a type of policy that you can use to manage your organization. SCPs enable you to restrict what resources, services and actions the users, groups, and roles in those AWS accounts can use.
Note 2: The desired Redshift node type used as example in this conformity rule is ds1.xlarge. To meet your own organizational requirements, you will need to configure this rule with your desired node type.

Audit

To determine if the existing nodes provisioned within your Redshift clusters have the desired node type, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.

03 In the left navigation panel, under Redshift Dashboard, click Clusters.

04 Choose the Redshift cluster that you want to examine then click on its identifier/name link, listed in the Cluster column.

05 Within Cluster Properties section, check the Node Type attribute value to determine the type of the node(s) provisioned within the selected cluster.

06 Repeat step no. 4 and 5 to verify the node type used by the rest of the AWS Redshift clusters provisioned in the selected region.

07 If the value (i.e. node type) set for the Node Type attribute is not the same for all Redshift clusters available, the Redshift clusters created in the current region were not launched using the desired node type, therefore you must take action and create an AWS support case to limit cluster provisioning only to the desired node type (see Remediation/Resolution section).

08 Change the AWS region from the navigation bar and repeat step no. 4 – 7 for all other regions.

Using AWS CLI

01 Run describe-clusters command (OSX/Linux/UNIX) using custom query filters to list the type of the nodes provisioned within the existing Redshift clusters, available in the selected region: 

aws redshift describe-clusters
	--region us-east-1
	--query 'Clusters[*].[ClusterIdentifier,NodeType]'

02 The command output should return an array that contains pairs of metadata representing the identifier and the node(s) type for each Redshift cluster currently available: 

[
    [
        "cc-webapp-cluster",
        "ds1.xlarge"
    ],
    [
        "cc-redshift-bgdb",
        "dc1.large"
    ]
]

If the value (i.e. node type) listed in the command output is not the same for all your Redshift clusters, the Redshift clusters available in the current region were not created using the desired node type, therefore you must take action and raise an AWS support case to limit cluster creation only to the desired/required node type.

03 Repeat step no. 1 and 2 to perform the audit process for all other AWS regions.

Remediation / Resolution

To limit the new Amazon Redshift cluster nodes to the desired node type, raise an AWS support case where you explain why you need this type of limitation. For any existing Redshift cluster nodes launched without using the desired type, just take snapshots of the required clusters and relaunch them using the desired node type.
To create the necessary AWS support case, perform the following actions:

Note: Creating a support case to request the node type limitation using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center dashboard at https://console.aws.amazon.com/support/.

03 On the Create Case page, perform the following:

  1. Under Regarding, select Account and Billing Support.
  2. Choose Other Account Issues from the Category dropdown list.
  3. In the Subject field, enter the request subject, e.g. "Limit AWS Redshift clusters launch to a desired node type".
  4. In the Description textbox, enter a brief description where you explain why you need to limit the provisioning of Redshift nodes to a specific type so that AWS support can evaluate your case faster.
  5. From Supported Language, choose your preferred correspondence language for the current case.
  6. Under Contact method, select a preferred contact method that AWS support team can use to respond to your request.
  7. Click Submit to send the limit request to Amazon Web Services.

References

Publication date Sep 28, 2017

Related Redshift rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Redshift Desired Node Type

Risk Level: Medium