Pattern: Missing use of encryption via CMK for AWS Redshift
Issue: -
Redshift clusters that contain sensitive data or are subject to regulation should be encrypted at rest to prevent data leakage should the infrastructure be compromised.
Resolution: Enable encryption using CMK.
Example of incorrect code:
resource "aws_redshift_cluster" "bad_example" {
cluster_identifier = "tf-redshift-cluster"
database_name = "mydb"
master_username = "foo"
master_password = "Mustbe8characters"
node_type = "dc1.large"
cluster_type = "single-node"
}Example of correct code:
resource "aws_kms_key" "redshift" {
enable_key_rotation = true
}
resource "aws_redshift_cluster" "good_example" {
cluster_identifier = "tf-redshift-cluster"
database_name = "mydb"
master_username = "foo"
master_password = "Mustbe8characters"
node_type = "dc1.large"
cluster_type = "single-node"
encrypted = true
kms_key_id = aws_kms_key.redshift.key_id
}