Redshift Security – Securing Redshift Data Warehouses on AWS ( and some parallels on GCP)
Securing Redshift Clusters on AWS
Some common issues around securing redshift clusters are described in this post.
1. Redshift cluster - Is the cluster in a single account or across accounts? Are there snapshot backups to s3? Are the snapshots automated or manual? Is Production data copied over to Non Production? If so, what is the method (backup to blob or snapshot or shared volumes?)
2. PII data - Is DB Level Encryption (Redshift) being used?
3. Is there encryption of data at rest (backups in S3) using a CMK on AWS? This would provide granularity over IAM and ability to use the same key for different workloads.
4. Do any elements qualify as PCI data? If PCI compliance is needed, end to end traffic encryption may be needed - as well as 'certified' linux images on GCP and AWS for any IaaS Workloads.
5. SSO Groups versus Local AWS IAM Users - Are there any local IAM users in any of the AWS accounts? What are the managed policies associated with a) Users of Redshift (Query runners) and b) Admins of Redshift
6. Is there a VPC Endpoint for Redshift?
7. What does the SG look like for the redshift cluster
SGs for Redshift SecurityGroupEgress: - FromPort: -1 ToPort: -1 IpProtocol: "-1" Description: "" CidrIp: "0.0.0.0/0" SecurityGroupIngress: - FromPort: 5439 ToPort: 5439 IpProtocol: "tcp" Description: "Allow Redshift traffic - TCP 5439" CidrIp: "" GroupName: "allow-redshift-traffic"
Leave a Reply