Detection rules › Panther
AWS Redshift Cluster Snapshot Retention
This policy validates that Redshift Clusters have sufficient snapshot retention periods, so that snapshots are not lost before they are needed.
Rule body yaml
AnalysisType: policy
Filename: aws_redshift_cluster_snapshot_retention.py
PolicyID: "AWS.Redshift.Cluster.SnapshotRetention"
DisplayName: "AWS Redshift Cluster Snapshot Retention"
Enabled: true
ResourceTypes:
- AWS.Redshift.Cluster
Tags:
- AWS
- Availability
Severity: Medium
Description: >
This policy validates that Redshift Clusters have sufficient snapshot retention periods, so that snapshots are not lost before they are needed.
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-redshift-cluster-has-sufficient-snapshot-retention-period
Reference: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-snapshots.html
Tests:
- Name: Insufficient Backup Retention Period
ExpectedResult: false
Resource:
{
"AllowVersionUpgrade": false,
"AutomatedSnapshotRetentionPeriod": 1,
"AvailabilityZone": "us-west-2d",
"ClusterAvailabilityStatus": "Available",
"ClusterCreateTime": "2019-01-01T00:00:00.0100Z",
"ClusterIdentifier": "redshift-cluster-2",
"ClusterNodes":
[
{
"NodeRole": "SHARED",
"PrivateIPAddress": "172.0.0.0",
"PublicIPAddress": "52.0.0.0",
},
],
"ClusterParameterGroups":
[
{
"ClusterParameterStatusList": null,
"ParameterApplyStatus": "in-sync",
"ParameterGroupName": "default.redshift-1.0",
},
],
"ClusterPublicKey": "ssh-rsa abcd+111/222/333/444 Amazon-Redshift\n",
"ClusterRevisionNumber": "8205",
"ClusterSecurityGroups": null,
"ClusterSnapshotCopyStatus": null,
"ClusterStatus": "available",
"ClusterSubnetGroupName": "default",
"ClusterVersion": "1.0",
"DBName": "example",
"DataTransferProgress": null,
"DeferredMaintenanceWindows": null,
"ElasticIpStatus": null,
"ElasticResizeNumberOfNodeOptions": null,
"Encrypted": true,
"Endpoint":
{
"Address": "redshift-cluster-2.abcdefg.us-west-2.redshift.amazonaws.com",
"Port": 5439,
},
"EnhancedVpcRouting": false,
"HsmStatus": null,
"IamRoles": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/abcdefg-111-222-333",
"LoggingStatus":
{
"BucketName": "example-bucket",
"LastFailureMessage": null,
"LastFailureTime": null,
"LastSuccessfulDeliveryTime": "2019-01-01T00:00:00Z",
"LoggingEnabled": true,
"S3KeyPrefix": null,
},
"MaintenanceTrackName": "current",
"ManualSnapshotRetentionPeriod": -1,
"MasterUsername": "awsuser",
"ModifyStatus": null,
"NodeType": "dc2.large",
"NumberOfNodes": 1,
"PendingActions": null,
"PendingModifiedValues":
{
"AutomatedSnapshotRetentionPeriod": null,
"ClusterIdentifier": null,
"ClusterType": null,
"ClusterVersion": null,
"EncryptionType": null,
"EnhancedVpcRouting": null,
"MaintenanceTrackName": null,
"MasterUserPassword": null,
"NodeType": null,
"NumberOfNodes": null,
"PubliclyAccessible": null,
},
"PreferredMaintenanceWindow": "fri:11:30-fri:12:00",
"PubliclyAccessible": true,
"ResizeInfo": null,
"RestoreStatus": null,
"SnapshotScheduleIdentifier": null,
"SnapshotScheduleState": null,
"Tags": null,
"VpcId": "vpc-6aa60b12",
"VpcSecurityGroups": null,
}
- Name: Sufficient Backup Retention Period
ExpectedResult: true
Resource:
{
"AllowVersionUpgrade": false,
"AutomatedSnapshotRetentionPeriod": 5,
"AvailabilityZone": "us-west-2d",
"ClusterAvailabilityStatus": "Available",
"ClusterCreateTime": "2019-01-01T00:00:00.0100Z",
"ClusterIdentifier": "redshift-cluster-2",
"ClusterNodes":
[
{
"NodeRole": "SHARED",
"PrivateIPAddress": "172.0.0.0",
"PublicIPAddress": "52.0.0.0",
},
],
"ClusterParameterGroups":
[
{
"ClusterParameterStatusList": null,
"ParameterApplyStatus": "in-sync",
"ParameterGroupName": "default.redshift-1.0",
},
],
"ClusterPublicKey": "ssh-rsa abcd+111/222/333/444 Amazon-Redshift\n",
"ClusterRevisionNumber": "8205",
"ClusterSecurityGroups": null,
"ClusterSnapshotCopyStatus": null,
"ClusterStatus": "available",
"ClusterSubnetGroupName": "default",
"ClusterVersion": "1.0",
"DBName": "example",
"DataTransferProgress": null,
"DeferredMaintenanceWindows": null,
"ElasticIpStatus": null,
"ElasticResizeNumberOfNodeOptions": null,
"Encrypted": true,
"Endpoint":
{
"Address": "redshift-cluster-2.abcdefg.us-west-2.redshift.amazonaws.com",
"Port": 5439,
},
"EnhancedVpcRouting": false,
"HsmStatus": null,
"IamRoles": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/abcdefg-111-222-333",
"LoggingStatus":
{
"BucketName": "example-bucket",
"LastFailureMessage": null,
"LastFailureTime": null,
"LastSuccessfulDeliveryTime": "2019-01-01T00:00:00Z",
"LoggingEnabled": true,
"S3KeyPrefix": null,
},
"MaintenanceTrackName": "current",
"ManualSnapshotRetentionPeriod": -1,
"MasterUsername": "awsuser",
"ModifyStatus": null,
"NodeType": "dc2.large",
"NumberOfNodes": 1,
"PendingActions": null,
"PendingModifiedValues":
{
"AutomatedSnapshotRetentionPeriod": null,
"ClusterIdentifier": null,
"ClusterType": null,
"ClusterVersion": null,
"EncryptionType": null,
"EnhancedVpcRouting": null,
"MaintenanceTrackName": null,
"MasterUserPassword": null,
"NodeType": null,
"NumberOfNodes": null,
"PubliclyAccessible": null,
},
"PreferredMaintenanceWindow": "fri:11:30-fri:12:00",
"PubliclyAccessible": true,
"ResizeInfo": null,
"RestoreStatus": null,
"SnapshotScheduleIdentifier": null,
"SnapshotScheduleState": null,
"Tags": null,
"VpcId": "vpc-6aa60b12",
"VpcSecurityGroups": null,
}
Detection logic
Condition
AutomatedSnapshotRetentionPeriod not ge "3"
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
AutomatedSnapshotRetentionPeriod | ge | 3 |