Configure Preferred Maintenance Window

Risk Level: Medium (should be achieved)

Ensure that your Amazon Redshift data warehouse clusters are configured with a preferred maintenance window. The preferred maintenance window is the weekly time range during which maintenance operations are performed on your Redshift managed clusters. The maintenance window defines when the deployment or operation begins, but if required, the maintenance itself can take longer to complete. Prior to running this conformity rule, the preferred maintenance window must be configured in the conformity rule settings, on the Trend Micro Cloud One™ – Conformity console, based on the AWS region, using the following format: ddd:hh24:mi-ddd:hh24:mi. The valid values for days are: mon, tue, wed, thu, fri, sat, and sun. The maintenance window must be defined in Universal Coordinated Time (UTC) format, for a minimum window of 30 minutes, for example sun:05:30-sun:06:00.

This rule can help you work with the AWS Well-Architected Framework.

Reliability

Amazon Web Services (AWS) performs regular system maintenance on managed Redshift clusters. The maintenance involves updates to the cluster instances' underlying hardware, to the underlying Operating System (e.g. security patches and performance improvements), or to the Redshift engine version (i.e. minor engine upgrades). The default maintenance window is a 30-minute window selected at random from an 8-hour block of time assigned for each AWS cloud region, occurring on a random day of the week. Because your Amazon Redshift data warehouse clusters may become unavailable during maintenance operations, for the security and stability of your data, you may want to configure the maintenance window to a time in which your Redshift clusters are under their lowest load and the disruption is minimal. This represents the preferred maintenance window and must be compliant with the weekly time range configured in the conformity rule settings.

Audit

To determine if there is a preferred maintenance window configured for your Amazon Redshift clusters, perform the following actions:

Using AWS Console

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Configure Preferred Maintenance Window for Redshift Clusters conformity rule settings and identify the preferred maintenance window defined for your Amazon Redshift clusters in the specified AWS cloud region.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon Redshift console at https://console.aws.amazon.com/redshiftv2.

04 In the main navigation panel, under Provisioned clusters dashboard, choose Clusters.

05 Click on the name (link) of the Redshift data warehouse cluster that you want to examine.

06 Select the Maintenance tab to access the maintenance configuration settings available for the selected cluster.

07 In the Maintenance detail section, check the Maintenance window attribute value. Compare the Maintenance window value (time frame) with the maintenance window defined for your Amazon Redshift clusters within the selected AWS region, identified at step no. 1. If the configured maintenance window is different than the one identified at step no. 1, the preferred maintenance window configured for the selected Amazon Redshift cluster is not compliant.

08 Repeat steps no. 5 – 7 for each Redshift cluster deployed within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

02 Run describe-clusters command (OSX/Linux/UNIX) with custom query filters to list the identifier (name) of each Amazon Redshift cluster available in the selected region:

aws redshift describe-clusters
  --region us-east-1
  --output table
  --query 'Clusters[*].ClusterIdentifier'

03 The command output should return a table with the requested cluster names:

-------------------------
|   DescribeClusters    |
+-----------------------+
|  cc-redshift-cluster  |
|  cc-project5-cluster  |
+-----------------------+

04 Run describe-clusters command (OSX/Linux/UNIX) using the name of the Amazon Redshift cluster that you want to examine as the identifier parameter and custom query filters to describe the preferred maintenance window configured for the selected cluster:

aws redshift describe-clusters
  --region us-east-1
  --cluster-identifier cc-redshift-cluster
  --query 'Clusters[*].PreferredMaintenanceWindow'

05 The command output should return the requested configuration information:

[
	"mon:09:00-mon:09:30"
]

If the maintenance window (weekly time range) returned by the describe-clusters command output is different than the one identified at step no. 1, the preferred maintenance window set for the selected Amazon Redshift data warehouse cluster is not compliant.

06 Repeat steps no. 4 and 5 for each Redshift cluster provisioned in the selected AWS region.

07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the Audit process for other AWS cloud regions.

Remediation / Resolution

To update the preferred maintenance window for your existing Amazon Redshift clusters, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Configure Preferred Maintenance Window",
	"Parameters": {
		"ClusterName": {
			"Default": "cc-redshift-cluster",
			"Description": "Redshift cluster name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "63",
			"AllowedPattern": "^[0-9a-zA-Z-/]*$",
			"ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens."
		},
		"ClusterNodeType": {
			"Default": "dc2.large",
			"Description": "Cluster node type",
			"Type": "String",
			"ConstraintDescription": "Must provide a valid cluster node type."
		},
		"DBName": {
			"Description": "Cluster database name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "64",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBUsername": {
			"Description": "Master username for cluster database access",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "16",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBPassword": {
			"NoEcho": "true",
			"Description": "Password for cluster database access",
			"Type": "String",
			"MinLength": "8",
			"MaxLength": "41",
			"AllowedPattern": "[a-zA-Z0-9]*",
			"ConstraintDescription": "Must contain only alphanumeric characters."
		}
	},
	"Resources": {
		"RedshiftCluster": {
			"Type": "AWS::Redshift::Cluster",
			"Properties": {
				"ClusterIdentifier": {
					"Ref": "ClusterName"
				},
				"DBName": {
					"Ref": "DBName"
				},
				"MasterUsername": {
					"Ref": "DBUsername"
				},
				"MasterUserPassword": {
					"Ref": "DBPassword"
				},
				"NodeType": {
					"Ref": "ClusterNodeType"
				},
				"ClusterType": "single-node",
				"AllowVersionUpgrade": true,
				"PreferredMaintenanceWindow": "sun:04:30-sun:05:00"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Configure Preferred Maintenance Window
	Parameters:
	ClusterName:
		Default: cc-redshift-cluster
		Description: Redshift cluster name
		Type: String
		MinLength: '1'
		MaxLength: '63'
		AllowedPattern: ^[0-9a-zA-Z-/]*$
		ConstraintDescription: Must begin with a letter and must not end with a hyphen
		or contain two consecutive hyphens.
	ClusterNodeType:
		Default: dc2.large
		Description: Cluster node type
		Type: String
		ConstraintDescription: Must provide a valid cluster node type.
	DBName:
		Description: Cluster database name
		Type: String
		MinLength: '1'
		MaxLength: '64'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
		characters.
	DBUsername:
		Description: Master username for cluster database access
		Type: String
		MinLength: '1'
		MaxLength: '16'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
		characters.
	DBPassword:
		NoEcho: 'true'
		Description: Password for cluster database access
		Type: String
		MinLength: '8'
		MaxLength: '41'
		AllowedPattern: '[a-zA-Z0-9]*'
		ConstraintDescription: Must contain only alphanumeric characters.
	Resources:
	RedshiftCluster:
		Type: AWS::Redshift::Cluster
		Properties:
		ClusterIdentifier: !Ref 'ClusterName'
		DBName: !Ref 'DBName'
		MasterUsername: !Ref 'DBUsername'
		MasterUserPassword: !Ref 'DBPassword'
		NodeType: !Ref 'ClusterNodeType'
		ClusterType: single-node
		AllowVersionUpgrade: true
		PreferredMaintenanceWindow: sun:04:30-sun:05:00

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_redshift_cluster" "redshift-database-cluster" {
	cluster_identifier        = "cc-redshift-prod-cluster"
	node_type                 = "dc2.large"
	database_name             = "clusterdb"
	master_username           = "masterdbuser"
	master_password           = "masteruserpwd"
	cluster_type              = "single-node"
	allow_version_upgrade     = true

	# Configure Preferred Maintenance Window
	preferred_maintenance_window = "sun:04:30-sun:05:00"
	
}

Using AWS Console

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Configure Preferred Maintenance Window for Redshift Clusters conformity rule settings and note the preferred maintenance window defined for Amazon Redshift clusters in the specified AWS region.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon Redshift console at https://console.aws.amazon.com/redshiftv2.

04 In the main navigation panel, under Provisioned clusters dashboard, choose Clusters.

05 Click on the name of the Redshift data warehouse cluster that you want to examine.

06 Select the Maintenance tab to access the maintenance configuration settings available for the selected cluster.

07 In the Maintenance detail section, choose Edit to modify the cluster maintenance settings.

08 Choose Change maintenance window and use the Day and Time controls under Maintenance window to configure the preferred maintenance window to a time in which your Amazon Redshift cluster is under its lowest load, as defined in the conformity rule settings, identified at step no. 1. Choose Save changes to apply the configuration changes.

09 Repeat steps no. 5 – 8 to configure the preferred maintenance window for each Redshift cluster deployed within the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

02 Run modify-cluster command (OSX/Linux/UNIX) using the name of the Amazon Redshift cluster that you want to reconfigure as the identifier parameter, to update the preferred maintenance window to a time in which your Redshift cluster is under its lowest load (as defined in the conformity rule settings, identified at step no. 1). The compliant maintenance window must be configured using the ddd:hh24:mi-ddd:hh24:mi format, where the valid days are mon, tue, wed, thu, fri, sat, and sun. The window must have at least 30 minutes and must be specified in Coordinated Universal Time (UTC). The following command request example, updates the preferred maintenance window for the selected cluster to Sunday between 04:30 and 05:00 AM (UTC):

aws redshift modify-cluster
  --region us-east-1
  --cluster-identifier cc-redshift-cluster
  --preferred-maintenance-window sun:04:30-sun:05:00

03 The command output should return the configuration metadata for the modified Amazon Redshift cluster:

{
	"Cluster": {
		"PubliclyAccessible": false,
		"MasterUsername": "dbauser",
		"VpcSecurityGroups": [
			{
				"Status": "active",
				"VpcSecurityGroupId": "sg-abcdabcd"
			}
		],
		"NumberOfNodes": 2,
		"PendingModifiedValues": {},
		"VpcId": "vpc-abcd1234",
		"ClusterVersion": "1.0",
		"Tags": [],
		"ManualSnapshotRetentionPeriod": -1,
		"AutomatedSnapshotRetentionPeriod": 1,
		"ClusterParameterGroups": [
			{
				"ParameterGroupName": "default.redshift-1.0",
				"ParameterApplyStatus": "in-sync"
			}
		],
		"DBName": "prod",
		"PreferredMaintenanceWindow": "sun:04:30-sun:05:00",
		"NextMaintenanceWindowStartTime": "2021-12-24T04:30:00Z",
		"Endpoint": {
			"Port": 5439,
			"Address": "cc-redshift-cluster.abcd1234abcd.us-east-1.redshift.amazonaws.com"
		},
		"DeferredMaintenanceWindows": [],
		"ClusterAvailabilityStatus": "Available",
		"IamRoles": [],
		"AllowVersionUpgrade": true,
		"MaintenanceTrackName": "current",
		"ClusterCreateTime": "2021-12-20T10:00:00.000Z",
		"ClusterSubnetGroupName": "default",
		"EnhancedVpcRouting": false,
		"ClusterSecurityGroups": [],
		"ClusterIdentifier": "cc-redshift-cluster",
		"AvailabilityZone": "us-east-1a",
		"NodeType": "dc2.large",
		"Encrypted": true,
		"ClusterStatus": "available"
	}
}

04 Repeat steps no. 1 – 3 to configure the preferred maintenance window for each Redshift cluster provisioned in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 for other AWS regions.

References

AWS Command Line Interface (CLI) Documentation
redshift
describe-clusters
modify-cluster

Publication date Feb 6, 2021

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Configure Preferred Maintenance Window

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related Redshift rules