Ensure that all the parameter groups associated with your Amazon Redshift clusters have the require_ssl parameter enabled in order to keep your data secure in transit by encrypting the connection between the clients (applications) and your warehouse clusters.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- NIST 800-53 (Rev. 4)
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When Redshift clusters are not configured to require Secure Sockets Layer (SSL) connections, the communication between the clients and these clusters is vulnerable to eavesdropping and man-in-the-middle (MITM) attacks. Cloud Conformity strongly recommends enabling SSL for your clusters front-end connection when dealing with sensitive or private data.
Note: For this rule, Cloud Conformity assumes that your Amazon Redshift clusters are not associated with the default parameter group created automatically by AWS, as the default parameter group cannot be modified to update the require_ssl parameter value.
To determine if your Amazon Redshift non-default parameter groups have the require_ssl parameter enabled, perform the following:
Remediation / Resolution
To enable require_ssl parameter within your Amazon Redshift non-default parameter groups in order to use SSL for the client-cluster connection, perform the following:
- AWS Documentation
- Amazon Redshift FAQs
- Amazon Redshift Clusters
- Managing Clusters Using the Console
- Manage Clusters Using the Amazon Redshift CLI and API
- Configure Security Options for Connections
- Managing Parameter Groups Using the Console
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Redshift Parameter Group Require SSL
Risk level: Medium