Deferred Maintenance

Risk Level: Medium (should be achieved)

Rule ID: RS-024

Ensure that deferred maintenance is enabled for all your Amazon Redshift clusters in order to keep your data warehouse running without interruption during critical business periods. Amazon Redshift gives you the option to defer maintenance for your clusters by up to 14 days.

This rule can help you with the following compliance standards:

NIST4

For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.

Reliability

If your organization runs mission critical workloads on Amazon Redshift, during high business activity period, you might want to defer the scheduled maintenance to a less busy interval. With the Deferred Maintenance feature you can postpone scheduled maintenance up to 14 days. During this time, Amazon Redshift does not apply any software updates.

Note: The deferred maintenance period is overridden if a mandatory hardware replacement is scheduled on your Amazon Redshift cluster. In this case you will get an event notification via AWS Management Console and the SNS subscription available.

Audit

To determine if the Deferred Maintenance feature is enabled for your Amazon Redshift clusters, perform the following operations:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon Redshift console at https://console.aws.amazon.com/redshiftv2.
In the main navigation panel, under Provisioned clusters dashboard, choose Clusters.
Click on the name (link) of the Redshift cluster that you want to examine.
Select the Maintenance tab to access the maintenance configuration settings available for the selected cluster.
In the Maintenance detail section, check the Defer maintenance window status. If the Defer maintenance window status is set to Disabled, the Deferred Maintenance feature is not enabled for the selected Amazon Redshift data warehouse cluster.
Repeat steps no. 5 – 7 for each Redshift cluster deployed within the current AWS region.
Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

Run describe-clusters command (OSX/Linux/UNIX) with custom query filters to list the identifier (name) of each Amazon Redshift cluster available in the selected region:
```
aws redshift describe-clusters
  --region us-east-1
  --output table
  --query 'Clusters[*].ClusterIdentifier'
```

The command output should return a table with the requested cluster names:

-------------------------
|   DescribeClusters    |
+-----------------------+
|  cc-redshift-cluster  |
|  cc-project5-cluster  |
+-----------------------+

Run again describe-clusters command (OSX/Linux/UNIX) using the name of the Amazon Redshift cluster that you want to examine as the identifier parameter and custom query filters to describe the deferred maintenance window configured for the selected cluster:
```
aws redshift describe-clusters
  --region us-east-1
  --cluster-identifier cc-redshift-cluster
  --query 'Clusters[*].DeferredMaintenanceWindows[]'
```
The command output should return an array with the requested configuration details:
```
[]
```
If the describe-clusters command output returns an empty array (i.e. []), the Deferred Maintenance feature is not enabled for the selected Amazon Redshift cluster, therefore routine maintenance is not suspended during critical business periods.
Repeat steps no. 3 and 4 for each Redshift cluster provisioned in the selected AWS region.
Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other AWS cloud regions.

Remediation / Resolution

To reconfigure your existing Amazon Redshift clusters in order to enable deferred maintenance, perform the following operations:

Using AWS CloudFormation

CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Deferred Maintenance",
	"Parameters": {
		"ClusterName": {
			"Default": "cc-redshift-cluster",
			"Description": "Redshift cluster name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "63",
			"AllowedPattern": "^[0-9a-zA-Z-/]*$",
			"ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens."
		},
		"ClusterNodeType": {
			"Default": "dc2.large",
			"Description": "Cluster node type",
			"Type": "String",
			"ConstraintDescription": "Must provide a valid cluster node type."
		},
		"DBName": {
			"Description": "Cluster database name",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "64",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBUsername": {
			"Description": "Master username for cluster database access",
			"Type": "String",
			"MinLength": "1",
			"MaxLength": "16",
			"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
			"ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters."
		},
		"DBPassword": {
			"NoEcho": "true",
			"Description": "Password for cluster database access",
			"Type": "String",
			"MinLength": "8",
			"MaxLength": "41",
			"AllowedPattern": "[a-zA-Z0-9]*",
			"ConstraintDescription": "Must contain only alphanumeric characters."
		}
	},
	"Resources": {
		"RedshiftCluster": {
			"Type": "AWS::Redshift::Cluster",
			"Properties": {
				"ClusterIdentifier": {
					"Ref": "ClusterName"
				},
				"DBName": {
					"Ref": "DBName"
				},
				"MasterUsername": {
					"Ref": "DBUsername"
				},
				"MasterUserPassword": {
					"Ref": "DBPassword"
				},
				"NodeType": {
					"Ref": "ClusterNodeType"
				},
				"ClusterType": "single-node",
				"AllowVersionUpgrade": true,
				"DeferMaintenance": true,
				"DeferMaintenanceDuration": 30
			}
		}
	}
}

CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Deferred Maintenance
	Parameters:
	ClusterName:
		Default: cc-redshift-cluster
		Description: Redshift cluster name
		Type: String
		MinLength: '1'
		MaxLength: '63'
		AllowedPattern: ^[0-9a-zA-Z-/]*$
		ConstraintDescription: Must begin with a letter and must not end with a hyphen
		or contain two consecutive hyphens.
	ClusterNodeType:
		Default: dc2.large
		Description: Cluster node type
		Type: String
		ConstraintDescription: Must provide a valid cluster node type.
	DBName:
		Description: Cluster database name
		Type: String
		MinLength: '1'
		MaxLength: '64'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
		characters.
	DBUsername:
		Description: Master username for cluster database access
		Type: String
		MinLength: '1'
		MaxLength: '16'
		AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
		ConstraintDescription: Must begin with a letter and contain only alphanumeric
		characters.
	DBPassword:
		NoEcho: 'true'
		Description: Password for cluster database access
		Type: String
		MinLength: '8'
		MaxLength: '41'
		AllowedPattern: '[a-zA-Z0-9]*'
		ConstraintDescription: Must contain only alphanumeric characters.
	Resources:
	RedshiftCluster:
		Type: AWS::Redshift::Cluster
		Properties:
		ClusterIdentifier: !Ref 'ClusterName'
		DBName: !Ref 'DBName'
		MasterUsername: !Ref 'DBUsername'
		MasterUserPassword: !Ref 'DBPassword'
		NodeType: !Ref 'ClusterNodeType'
		ClusterType: single-node
		AllowVersionUpgrade: true
		DeferMaintenance: true
		DeferMaintenanceDuration: 30

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon Redshift console at https://console.aws.amazon.com/redshiftv2.
In the main navigation panel, under Provisioned clusters dashboard, choose Clusters.
Click on the name of the Redshift cluster that you want to reconfigure.
Select the Maintenance tab to access the maintenance configuration settings available for the selected cluster.
In the Maintenance detail section, choose Edit to modify the cluster maintenance settings.
Choose Defer maintenance window, select Enabled, and use the From/To and Time controls to configure the defer maintenance window for your Amazon Redshift cluster. You can defer maintenance by up to 45 days. AWS doesn't perform any maintenance on your Redshift cluster when you specify a deferment, unless they need to update hardware. Choose Save changes to apply the changes.
Repeat steps no. 4 – 7 to configure the deferred maintenance window for each Redshift cluster deployed within the current AWS region.
Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

Run modify-cluster-maintenance command (OSX/Linux/UNIX) using the name of the Amazon Redshift cluster that you want to modify as the identifier parameter, to enable and configure the Deferred Maintenance feature for the selected cluster. Use the --defer-maintenance-start-time and --defer-maintenance-end-time parameters to define your own deferred maintenance window (UTC time):
```
aws redshift modify-cluster-maintenance
  --region us-east-1
  --cluster-identifier cc-redshift-cluster
  --defer-maintenance
  --defer-maintenance-start-time 2021-12-10T12:00:00Z
  --defer-maintenance-end-time 2021-12-21T12:00:00Z
```

The command output should return the metadata available for the selected AWS Redshift cluster:

{
	"Cluster": {
		"ClusterIdentifier": "cc-redshift-cluster",
		"NodeType": "dc2.large",
		"ClusterStatus": "available",
		"ClusterAvailabilityStatus": "Available",
		"MasterUsername": "dbauser",
		"DBName": "prod",
		"Endpoint": {
			"Address": "cc-redshift-cluster.abcd1234abcd.us-east-1.redshift.amazonaws.com",
			"Port": 5439
		},
		"ClusterCreateTime": "2021-12-09T15:11:53.272000+00:00",
		"AutomatedSnapshotRetentionPeriod": 1,
		"ManualSnapshotRetentionPeriod": -1,
		"ClusterSecurityGroups": [],
		"VpcSecurityGroups": [
			{
				"VpcSecurityGroupId": "sg-abcdabcd",
				"Status": "active"
			}
		],
		"ClusterParameterGroups": [
			{
				"ParameterGroupName": "default.redshift-1.0",
				"ParameterApplyStatus": "in-sync"
			}
		],
		"ClusterSubnetGroupName": "default",
		"VpcId": "vpc-1234abcd",
		"AvailabilityZone": "us-east-1f",
		"PreferredMaintenanceWindow": "",
		"PendingModifiedValues": {},
		"ClusterVersion": "1.0",
		"AllowVersionUpgrade": true,
		"NumberOfNodes": 1,
		"PubliclyAccessible": false,
		"Encrypted": false,
		"ClusterNodes": [
			{
				"NodeRole": "SHARED",
				"PrivateIPAddress": "172.31.60.14",
				"PublicIPAddress": "3.102.10.36"
			}
		],
		"ClusterRevisionNumber": "33904",
		"Tags": [],
		"EnhancedVpcRouting": false,
		"IamRoles": [],
		"MaintenanceTrackName": "current",
		"DeferredMaintenanceWindows": [
			{
				"DeferMaintenanceIdentifier": "dfm-abcd1234abcd1234abcd",
				"DeferMaintenanceStartTime": "2021-12-10T12:00:00+00:00",
				"DeferMaintenanceEndTime": "2021-12-21T12:00:00+00:00"
			}
		],
		"NextMaintenanceWindowStartTime": "2021-12-13T09:30:00+00:00",
		"AvailabilityZoneRelocationStatus": "disabled",
		"TotalStorageCapacityInMegaBytes": 400000,
		"AquaConfiguration": {
			"AquaStatus": "disabled",
			"AquaConfigurationStatus": "auto"
		}
	}
}

Repeat steps no. 1 and 2 to configure the deferred maintenance window for each Redshift cluster provisioned in the selected AWS region.
Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 for other AWS regions.

References

AWS Command Line Interface (CLI) Documentation
redshift
describe-clusters
modify-cluster-maintenance

Publication date Jan 29, 2019

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using AWS Console

Using AWS CLI

References

Related Redshift rules