Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Redshift Cluster Allow Version Upgrade

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: RS-005

Ensure Version Upgrade is enabled for Redshift clusters to automatically receive upgrades during the maintenance window.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

With Allow Version Upgrade feature enabled, the Amazon Redshift engine upgrades (also known as major version upgrades) will occur automatically so the data warehouse service engine can get the newest features, bug fixes or the latest security patches released.

Audit

To determine if your AWS Redshift clusters are receiving automatic engine version upgrades, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.

03 In the left navigation panel, under Redshift Dashboard, click Clusters.

04 Choose the Redshift cluster that you want to examine and click the Show or Hide Item details icon:

Show or Hide Item details

to show the selected cluster configuration details.

05 In the Backup, Audit Logging and Maintenance section, verify the Allow Version Upgrade status:

verify the Allow Version Upgrade status

If the current status is set to No the feature is not enabled, therefore the Redshift engine major version upgrades released by Amazon will not be applied to the selected cluster as soon as these become available.

06 Repeat step no. 4 and 5 to verify the feature status for other Redshift clusters provisioned in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-clusters command (OSX/Linux/UNIX) using custom query filters to list the identifiers (names) of all Redshift clusters currently available in the selected region: 

aws redshift describe-clusters
	--region us-east-1
	--output table
	--query 'Clusters[*].ClusterIdentifier'

02 The command output should return a table with the requested cluster names: 

----------------------------
|  DescribeClusters        |
+--------------------------+
|  cc-cluster              |
|  big-data-cc-cluster     |
|  big-data-cc-cluster-v2  |
+--------------------------+

03 Run again describe-clusters command (OSX/Linux/UNIX) using the name of the cluster that you want to examine as identifier and a different set of query filters to expose the Allow Version Upgrade feature status for the selected Redshift cluster: 

aws redshift describe-clusters
	--region us-east-1
	--cluster-identifier cc-cluster
	--query 'Clusters[*].AllowVersionUpgrade'

04 The command output should return the feature current status (true for enabled and false for disabled): 

[
    false
]

If the returned value is false the feature is not enabled, therefore the Redshift engine major version upgrades will not be applied automatically to the selected cluster as soon as these become available.

05 Repeat step no. 3 and 4 for each Redshift cluster available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To update your AWS Redshift clusters configuration in order to enable engine (major) version upgrades, perform the following:

Note: Enabling Allow Version Upgrade for Amazon Redshift clusters using AWS Management Console is not currently supported, the feature can to be configured only through AWS Command Line Interface (CLI).

Using AWS CLI

01 Run modify-cluster command (OSX/Linux/UNIX) using the name of the cluster that you want to update as identifier (see Audit section part II, step no. 2) to enable AWS Redshift engine version upgrades for the selected cluster: 

aws redshift modify-cluster
	--region us-east-1
	--cluster-identifier cc-cluster
	--allow-version-upgrade

02 If successful, the command output should return the Redshift cluster new configuration metadata: 

{
    "Cluster": {
        "PubliclyAccessible": true,
        "NumberOfNodes": 1,
        "PendingModifiedValues": {},
        "VpcId": "vpc-2eb53422",
        "ClusterVersion": "1.0",
        "AutomatedSnapshotRetentionPeriod": 1,
        "ClusterParameterGroups": [
	   ...
        "AllowVersionUpgrade": true,
	   ...
        "ClusterSubnetGroupName": "default",
        "ClusterSecurityGroups": [],
        "ClusterIdentifier": "cc-cluster",
        "AvailabilityZone": "us-east-1a",
        "NodeType": "ds1.xlarge",
        "ClusterStatus": "available"
    }
}

03 Repeat step no. 1 and 2 for other Redshift clusters with engine version upgrades disabled, available in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 for other regions.

References

Publication date Sep 16, 2016

Related Redshift rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Redshift Cluster Allow Version Upgrade

Risk Level: Medium