Detection rules › Panther
AWS Redshift Cluster Encryption
This policy validates that Redshift Clusters have encryption enabled.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Collection | T1530 Data from Cloud Storage |
Rule body yaml
AnalysisType: policy
Filename: aws_redshift_cluster_encryption.py
PolicyID: "AWS.Redshift.Cluster.Encryption"
DisplayName: "AWS Redshift Cluster Encryption"
Enabled: true
ResourceTypes:
- AWS.Redshift.Cluster
Tags:
- AWS
- Data Protection
- Collection:Data From Cloud Storage Object
Reports:
PCI:
- 3.4
MITRE ATT&CK:
- TA0009:T1530
Severity: High
Description: >
This policy validates that Redshift Clusters have encryption enabled.
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-redshift-cluster-has-encryption-enabled
Reference: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html
Tests:
- Name: Encryption Enabled
ExpectedResult: true
Resource:
{
"AllowVersionUpgrade": false,
"AutomatedSnapshotRetentionPeriod": 3,
"AvailabilityZone": "us-west-2d",
"ClusterAvailabilityStatus": "Available",
"ClusterCreateTime": "2019-01-01T00:00:00.0100Z",
"ClusterIdentifier": "redshift-cluster-2",
"ClusterNodes":
[
{
"NodeRole": "SHARED",
"PrivateIPAddress": "172.0.0.0",
"PublicIPAddress": "52.0.0.0",
},
],
"ClusterParameterGroups":
[
{
"ClusterParameterStatusList": null,
"ParameterApplyStatus": "in-sync",
"ParameterGroupName": "default.redshift-1.0",
},
],
"ClusterPublicKey": "ssh-rsa abcd+111/222/333/444 Amazon-Redshift\n",
"ClusterRevisionNumber": "8205",
"ClusterSecurityGroups": null,
"ClusterSnapshotCopyStatus": null,
"ClusterStatus": "available",
"ClusterSubnetGroupName": "default",
"ClusterVersion": "1.0",
"DBName": "example",
"DataTransferProgress": null,
"DeferredMaintenanceWindows": null,
"ElasticIpStatus": null,
"ElasticResizeNumberOfNodeOptions": null,
"Encrypted": true,
"Endpoint":
{
"Address": "redshift-cluster-2.abcdefg.us-west-2.redshift.amazonaws.com",
"Port": 5439,
},
"EnhancedVpcRouting": false,
"HsmStatus": null,
"IamRoles": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/abcdefg-111-222-333",
"LoggingStatus":
{
"BucketName": "example-bucket",
"LastFailureMessage": null,
"LastFailureTime": null,
"LastSuccessfulDeliveryTime": "2019-01-01T00:00:00Z",
"LoggingEnabled": true,
"S3KeyPrefix": null,
},
"MaintenanceTrackName": "current",
"ManualSnapshotRetentionPeriod": -1,
"MasterUsername": "awsuser",
"ModifyStatus": null,
"NodeType": "dc2.large",
"NumberOfNodes": 1,
"PendingActions": null,
"PendingModifiedValues":
{
"AutomatedSnapshotRetentionPeriod": null,
"ClusterIdentifier": null,
"ClusterType": null,
"ClusterVersion": null,
"EncryptionType": null,
"EnhancedVpcRouting": null,
"MaintenanceTrackName": null,
"MasterUserPassword": null,
"NodeType": null,
"NumberOfNodes": null,
"PubliclyAccessible": null,
},
"PreferredMaintenanceWindow": "fri:11:30-fri:12:00",
"PubliclyAccessible": true,
"ResizeInfo": null,
"RestoreStatus": null,
"SnapshotScheduleIdentifier": null,
"SnapshotScheduleState": null,
"Tags": null,
"VpcId": "vpc-6aa60b12",
"VpcSecurityGroups": null,
}
- Name: Encryption Not Enabled
ExpectedResult: false
Resource:
{
"AllowVersionUpgrade": false,
"AutomatedSnapshotRetentionPeriod": 3,
"AvailabilityZone": "us-west-2d",
"ClusterAvailabilityStatus": "Available",
"ClusterCreateTime": "2019-01-01T00:00:00.0100Z",
"ClusterIdentifier": "redshift-cluster-2",
"ClusterNodes":
[
{
"NodeRole": "SHARED",
"PrivateIPAddress": "172.0.0.0",
"PublicIPAddress": "52.0.0.0",
},
],
"ClusterParameterGroups":
[
{
"ClusterParameterStatusList": null,
"ParameterApplyStatus": "in-sync",
"ParameterGroupName": "default.redshift-1.0",
},
],
"ClusterPublicKey": "ssh-rsa abcd+111/222/333/444 Amazon-Redshift\n",
"ClusterRevisionNumber": "8205",
"ClusterSecurityGroups": null,
"ClusterSnapshotCopyStatus": null,
"ClusterStatus": "available",
"ClusterSubnetGroupName": "default",
"ClusterVersion": "1.0",
"DBName": "example",
"DataTransferProgress": null,
"DeferredMaintenanceWindows": null,
"ElasticIpStatus": null,
"ElasticResizeNumberOfNodeOptions": null,
"Encrypted": false,
"Endpoint":
{
"Address": "redshift-cluster-2.abcdefg.us-west-2.redshift.amazonaws.com",
"Port": 5439,
},
"EnhancedVpcRouting": false,
"HsmStatus": null,
"IamRoles": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/abcdefg-111-222-333",
"LoggingStatus":
{
"BucketName": "example-bucket",
"LastFailureMessage": null,
"LastFailureTime": null,
"LastSuccessfulDeliveryTime": "2019-01-01T00:00:00Z",
"LoggingEnabled": true,
"S3KeyPrefix": null,
},
"MaintenanceTrackName": "current",
"ManualSnapshotRetentionPeriod": -1,
"MasterUsername": "awsuser",
"ModifyStatus": null,
"NodeType": "dc2.large",
"NumberOfNodes": 1,
"PendingActions": null,
"PendingModifiedValues":
{
"AutomatedSnapshotRetentionPeriod": null,
"ClusterIdentifier": null,
"ClusterType": null,
"ClusterVersion": null,
"EncryptionType": null,
"EnhancedVpcRouting": null,
"MaintenanceTrackName": null,
"MasterUserPassword": null,
"NodeType": null,
"NumberOfNodes": null,
"PubliclyAccessible": null,
},
"PreferredMaintenanceWindow": "fri:11:30-fri:12:00",
"PubliclyAccessible": true,
"ResizeInfo": null,
"RestoreStatus": null,
"SnapshotScheduleIdentifier": null,
"SnapshotScheduleState": null,
"Tags": null,
"VpcId": "vpc-6aa60b12",
"VpcSecurityGroups": null,
}
Detection logic
Condition
Encrypted not is_not_null
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
Encrypted | is_not_null |