Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Enhanced VPC Routing

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Enhanced VPC Routing feature is enabled for your Amazon Redshift data warehouse clusters in order to force the traffic between your clusters and your AWS cloud resources to pass through the Virtual Private Cloud (VPC) and not through the Internet, allowing you to control your network traffic. By using Enhanced VPC Routing, you can use standard VPC network features, such as VPC security groups, Network Access Control Lists (NACLs), VPC endpoints, VPC endpoint policies, Internet gateways, and Domain Name System (DNS) servers. You use these VPC features to tightly manage the flow of data between your Amazon Redshift clusters and other cloud resources.

This rule can help you work with the AWS Well-Architected Framework.

Security

By default, the network traffic between Amazon Redshift and other AWS cloud resources, such as Amazon S3 buckets, is then routed through the public Internet. When the Enhanced VPC Routing feature is enabled for your Redshift clusters, Amazon Redshift routes the network traffic through a VPC instead. Amazon Redshift Enhanced VPC Routing uses an available routing option, prioritizing the most specific route for network traffic. The VPC endpoint is prioritized as the first route priority. If a VPC endpoint is unavailable, Amazon Redshift routes the network traffic through an Internet gateway, a NAT instance, or a NAT gateway. After the feature is enabled, Amazon Redshift forces all COPY and UNLOAD traffic between your clusters and your data repositories through your VPC network. Then, you can use VPC flow logs to monitor the COPY/UNLOAD traffic.


Audit

To determine if Enhanced VPC Routing is enabled for your Amazon Redshift clusters, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Redshift console at https://console.aws.amazon.com/redshiftv2/.

03 In the main navigation panel, under Provisioned clusters dashboard, choose Clusters.

04 Click on the name (link) of the Redshift cluster that you want to examine.

05 Choose the Properties tab to access the cluster network and security configuration details.

06 In the Network and security settings section, check the Enhanced VPC routing feature status. If the Enhanced VPC routing status is set to Disabled, the Enhanced VPC Routing security feature is not enabled for the selected Amazon Redshift data warehouse cluster.

07 Repeat steps no. 4 – 6 for each Redshift cluster deployed within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-clusters command (OSX/Linux/UNIX) with custom query filters to list the identifier (name) of each Amazon Redshift cluster available in the selected region:

aws redshift describe-clusters
  --region us-east-1
  --output table
  --query 'Clusters[*].ClusterIdentifier'

02 The command output should return a table with the requested cluster names:

-------------------------
|   DescribeClusters    |
+-----------------------+
|  cc-redshift-cluster  |
|  cc-project5-cluster  |
|  cc-analytics-cluster |
+-----------------------+ 

03 Run describe-clusters command (OSX/Linux/UNIX) using the name of the Amazon Redshift cluster that you want to examine as the identifier parameter and custom query filters to describe the status of the Enhanced VPC Routing feature available for the selected cluster:

aws redshift describe-clusters
  --region us-east-1
  --cluster-identifier cc-redshift-cluster
  --query 'Clusters[*].EnhancedVpcRouting'

04 The command output should return the requested feature status:

[
	false
]

If the describe-clusters command output returns false, as shown in the output example above, the Enhanced VPC Routing security feature is not enabled for the selected Amazon Redshift data warehouse cluster.

05 Repeat steps no. 3 and 4 for each Redshift cluster provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other AWS regions.

Remediation / Resolution

To enable Enhanced VPC Routing for your existing Amazon Redshift clusters and force cluster traffic through a Virtual Private Cloud (VPC) network, perform the following operations:

Note: Before you enable Enhanced VPC Routing, make sure that your Amazon Redshift cluster meets the following requirements and constraints:
  • Your Redshift cluster is running within a VPC.
  • Domain Name Service (DNS) resolution is enabled for your VPC network.
  • DNS hostnames are enabled in your VPC (DNS hostnames are enabled by default).
  • If you attach an Amazon S3 VPC endpoint, your Redshift cluster uses the VPC endpoint only for access to Amazon S3 buckets in the same AWS region. To access buckets in another AWS region (i.e. not using the VPC endpoint) or to access other AWS cloud services, make your Redshift cluster publicly accessible or use a Network Address Translation (NAT) gateway.
  • Your Virtual Private Cloud (VPC) endpoint policies allow access to any Amazon S3 buckets used with COPY, UNLOAD, or CREATE LIBRARY calls in Amazon Redshift, including access to any manifest files involved.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Enhanced VPC Routing",
	"Parameters": {
		"ClusterName": {
			"Default": "cc-redshift-cluster",
			"Description": "Redshift cluster name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "63",
			"AllowedPattern": "^[0-9a-zA-Z-/]*$",
			"ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens."
		},
		"ClusterNodeType": {
			"Default": "dc2.large",
			"Description": "Cluster node type",
			"Type": "String",
			"ConstraintDescription": "Must provide a valid cluster node type."
		},
		"DBName": {
			"Description": "Cluster database name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "64",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBUsername": {
			"Description": "Master username for cluster database access",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "16",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBPassword": {
			"NoEcho": "true",
			"Description": "Password for cluster database access",
			"Type": "String",
			"MinLength": "8",
			"MaxLength": "41",
			"AllowedPattern": "[a-zA-Z0-9]*",
			"ConstraintDescription": "Must contain only alphanumeric characters."
		}
	},
	"Resources": {
		"ClusterSubnetGroup": {
			"Type": "AWS::Redshift::ClusterSubnetGroup",
			"Properties": {
				"Description": "cc-custom-subnet-group",
				"SubnetIds": [
					"subnet-01234abcd1234abcd",
					"subnet-0abcd1234abcd1234"
				]
			}
		},
		"RedshiftCluster": {
			"Type": "AWS::Redshift::Cluster",
			"Properties": {
				"ClusterIdentifier": {
					"Ref": "ClusterName"
				},
				"DBName": {
					"Ref": "DBName"
				},
				"MasterUsername": {
					"Ref": "DBUsername"
				},
				"MasterUserPassword": {
					"Ref": "DBPassword"
				},
				"NodeType": {
					"Ref": "ClusterNodeType"
				},
				"ClusterSubnetGroupName": {
					"Ref": "ClusterSubnetGroup"
				},
				"ClusterType": "single-node",
				"AllowVersionUpgrade": true,
				"EnhancedVpcRouting": true
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Enhanced VPC Routing
	Parameters:
	ClusterName:
		Default: cc-redshift-cluster
		Description: Redshift cluster name
		Type: String
		MinLength: '1'
		MaxLength: '63'
		AllowedPattern: ^[0-9a-zA-Z-/]*$
		ConstraintDescription: Must begin with a letter and must not end with a hyphen
		or contain two consecutive hyphens.
	ClusterNodeType:
		Default: dc2.large
		Description: Cluster node type
		Type: String
		ConstraintDescription: Must provide a valid cluster node type.
	DBName:
		Description: Cluster database name
		Type: String
		MinLength: '1'
		MaxLength: '64'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
		characters.
	DBUsername:
		Description: Master username for cluster database access
		Type: String
		MinLength: '1'
		MaxLength: '16'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
		characters.
	DBPassword:
		NoEcho: 'true'
		Description: Password for cluster database access
		Type: String
		MinLength: '8'
		MaxLength: '41'
		AllowedPattern: '[a-zA-Z0-9]*'
		ConstraintDescription: Must contain only alphanumeric characters.
	Resources:
	ClusterSubnetGroup:
		Type: AWS::Redshift::ClusterSubnetGroup
		Properties:
		Description: cc-custom-subnet-group
		SubnetIds:
			- subnet-01234abcd1234abcd
			- subnet-0abcd1234abcd1234
	RedshiftCluster:
		Type: AWS::Redshift::Cluster
		Properties:
		ClusterIdentifier: !Ref 'ClusterName'
		DBName: !Ref 'DBName'
		MasterUsername: !Ref 'DBUsername'
		MasterUserPassword: !Ref 'DBPassword'
		NodeType: !Ref 'ClusterNodeType'
		ClusterSubnetGroupName: !Ref 'ClusterSubnetGroup'
		ClusterType: single-node
		AllowVersionUpgrade: true
		EnhancedVpcRouting: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_redshift_subnet_group" "redshift-custom-subnet-group" {
	name       = "cc-custom-subnet-group"
	subnet_ids = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
}

resource "aws_redshift_cluster" "redshift-database-cluster" {
	cluster_identifier        = "cc-redshift-prod-cluster"
	node_type                 = "dc2.large"
	database_name             = "clusterdb"
	master_username           = "masterdbuser"
	master_password           = "masteruserpwd"
	cluster_type              = "single-node"
	allow_version_upgrade     = true
	cluster_subnet_group_name = aws_redshift_subnet_group.redshift-custom-subnet-group.name

	# Enable Enhanced VPC Routing
	enhanced_vpc_routing  = true
	
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Redshift console at https://console.aws.amazon.com/redshiftv2.

03 In the main navigation panel, under Provisioned clusters dashboard, choose Clusters.

04 Click on the name of the Redshift cluster that you want to reconfigure.

05 Choose the Properties tab to access the cluster network and security configuration details.

06 In the Network and security settings section, choose Edit to modify the cluster network configuration.

07 On the Edit network and security configuration page, choose Enable under Enhanced VPC routing to enable the Enhanced VPC Routing security feature for the selected Redshift cluster. Choose Save changes to apply the configuration changes. Once the reconfiguration process is complete, the cluster status should change from Modifying to Available.

08 When Enhanced VPC Routing is enabled, it does not automatically enable traffic flow through a Virtual Private Cloud (VPC). You must specifically create a network path between the VPC network associated with your Redshift cluster and your data resources. To make use of the Enhanced VPC Routing feature, you can configure the following pathways in your cluster's VPC:

  1. VPC endpoints – for traffic to an Amazon S3 bucket in the same AWS region as your Redshift cluster, you can create a VPC endpoint to direct traffic directly to the bucket. When you use VPC endpoints, you can attach an endpoint policy to manage access to Amazon S3 data.
  2. NAT gateway – if required, you can connect to an Amazon S3 bucket in another AWS region or you can connect to another service within the AWS cloud network. You can also access a host instance outside the AWS cloud network by configuring a Network Address Translation (NAT) gateway.
  3. Internet gateway – used to connect to AWS services outside your Virtual Private Cloud (VPC) network, you can attach an Internet Gateway to your VPC subnet. To use an Internet Gateway (IGW), your Redshift cluster must have a public IP to allow other services to communicate with your cluster.

09 Repeat steps no. 4 – 7 to enable Enhanced VPC Routing for other Redshift clusters deployed within the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run modify-cluster command (OSX/Linux/UNIX) using the name of the Amazon Redshift cluster that you want to reconfigure as the identifier parameter, to enable the Enhanced VPC Routing security feature for the selected cluster:

aws redshift modify-cluster
  --region us-east-1
  --cluster-identifier cc-redshift-cluster
  --enhanced-vpc-routing

02 The command output should return the configuration metadata available for the reconfigured cluster:

{
	"Cluster": {
		"ClusterIdentifier": "cc-redshift-cluster",
		"NodeType": "dc2.large",
		"MasterUsername": "dbauser",
		"DBName": "prod",
		"Endpoint": {
			"Address": "cc-redshift-cluster.abcd1234abcd.us-east-1.redshift.amazonaws.com",
			"Port": 5439
		},
		"ClusterCreateTime": "2021-12-09T16:49:23.357000+00:00",
		"AutomatedSnapshotRetentionPeriod": 1,
		"ManualSnapshotRetentionPeriod": -1,
		"ClusterSecurityGroups": [],
		"VpcSecurityGroups": [
			{
				"VpcSecurityGroupId": "sg-abcdabcd",
				"Status": "active"
			}
		],
		"ClusterParameterGroups": [
			{
				"ParameterGroupName": "default.redshift-1.0",
				"ParameterApplyStatus": "in-sync"
			}
		],
		"ClusterSubnetGroupName": "default",
		"VpcId": "vpc-1234abcd",
		"AvailabilityZone": "us-east-1e",
		"PreferredMaintenanceWindow": "wed:07:30-wed:08:00",
		"PendingModifiedValues": {},
		"ClusterVersion": "1.0",
		"AllowVersionUpgrade": true,
		"NumberOfNodes": 1,
		"PubliclyAccessible": false,
		"Encrypted": false,
		"ClusterSnapshotCopyStatus": {
			"DestinationRegion": "us-west-1",
			"RetentionPeriod": 7,
			"ManualSnapshotRetentionPeriod": 14
		},
		"Tags": [],
		"EnhancedVpcRouting": true,
		"IamRoles": [],
		"MaintenanceTrackName": "current",
		"DeferredMaintenanceWindows": [],
		"NextMaintenanceWindowStartTime": "2021-12-22T07:30:00+00:00",
		"TotalStorageCapacityInMegaBytes": 400000,
		"AquaConfiguration": {
			"AquaStatus": "disabled",
			"AquaConfigurationStatus": "auto"
		},
		"ClusterStatus": "modifying",
		"ClusterAvailabilityStatus": "Modifying"
	}
}

03 Enabling the Enhanced VPC Routing feature does not automatically enable traffic flow through a VPC network. You must specifically create a network path between the VPC network associated with your Redshift cluster and your data resources. To make use of the Enhanced VPC Routing feature, you can configure the following pathways in your cluster's VPC:

  1. VPC endpoints – for traffic to an Amazon S3 bucket in the same AWS region as your Redshift cluster, you can create a VPC endpoint to direct traffic directly to the bucket. When you use VPC endpoints, you can attach an endpoint policy to manage access to Amazon S3 data.
  2. NAT gateway – if required, you can connect to an Amazon S3 bucket in another AWS region or you can connect to another service within the AWS cloud network. You can also access a host instance outside the AWS cloud network by configuring a Network Address Translation (NAT) gateway.
  3. Internet gateway – used to connect to AWS services outside your Virtual Private Cloud (VPC) network, you can attach an Internet Gateway to your VPC subnet. To use an Internet Gateway (IGW), your Redshift cluster must have a public IP to allow other services to communicate with your cluster.

04 Repeat steps no. 1 and 2 to enable Enhanced VPC Routing for other Amazon Redshift clusters provisioned in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the Remediation process for other regions.

References

Publication date Feb 6, 2021