Securing Redshift Clusters on AWS

Some common issues around securing redshift clusters are described in this post.

1. Redshift cluster - Is the cluster in a single account or across accounts? Are there snapshot backups to s3? Are the snapshots automated or manual? Is Production data copied over to Non Production? If so, what is the method (backup to blob or snapshot or shared volumes?)

2. PII data -  Is  DB Level Encryption (Redshift) being used?

3.  Is there encryption of data at rest (backups in S3) using a  CMK on AWS?  This would provide granularity over IAM and ability to use the same key for different workloads.

4. Do any elements qualify as PCI data?   If PCI compliance is needed, end to end traffic encryption may be needed - as well as 'certified' linux images on GCP and AWS  for any IaaS Workloads.

5. SSO Groups versus Local AWS IAM Users - Are there any local IAM users in any of the AWS accounts? What are the managed policies associated with a) Users of Redshift (Query runners) and b) Admins of Redshift

6. Is there a VPC Endpoint for Redshift?

7. What does the SG look like for the redshift cluster

SGs for Redshift
SecurityGroupEgress:
- FromPort: -1
ToPort: -1
IpProtocol: "-1"
Description: ""
CidrIp: "0.0.0.0/0"
SecurityGroupIngress:
- FromPort: 5439
ToPort: 5439
IpProtocol: "tcp"
Description: "Allow Redshift traffic - TCP 5439"
CidrIp: ""
GroupName: "allow-redshift-traffic"
8. Are Default VPCs removed. Are Default NACLs updated? Are Unattached SGs removed?
Summary
This list serves as a good starting point to start securing your Redshift cluster. There's definitely more considerations (such as potential data masking and row level encryption etc.), but this list covers some of the basics.