Redshift cluster is encrypted in transit
redshift_cluster_in_transit_encryption_enabled
Amazon Redshift clusters enforce encryption in transit by requiring TLS for client connections when require_ssl is enabled.
This evaluation identifies clusters where connections are not forced to use TLS.
Risk
Allowing plaintext or optional TLS exposes SQL sessions to:
- Confidentiality loss: credentials, queries, and results can be intercepted.
- Integrity compromise: statements or data may be modified in transit.
- Availability impact: session hijacking can disrupt workloads.
prowler aws --checks redshift_cluster_in_transit_encryption_enabled
Recommendation
Require TLS for all Redshift connections by setting require_ssl=true and disallow plaintext.
Configure clients to validate certificates and prefer private network paths. Keep drivers/TLS policies current. Apply least privilege and defense in depth to limit exposure if transport security fails.
Remediation
aws redshift modify-cluster-parameter-group --parameter-group-name <example_resource_name> --parameters ParameterName=require_ssl,ParameterValue=true
- In the AWS Console, go to Amazon Redshift > Parameter groups
- Open the parameter group used by your cluster
- Click Edit parameters, set require_ssl to true, and Save
- Reboot the cluster to apply the static parameter change
Source Code
Resource Type
AwsRedshiftCluster
References
- https://docs.aws.amazon.com/redshift/latest/mgmt/security-encryption-in-transit.html
- https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-2
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Redshift/redshift-parameter-groups-require-ssl.html