Detection rules › Panther
AWS Redshift Cluster Has Acceptable Snapshot Retention Period
This policy validates that Redshift Cluster snapshot retention periods are set to an appropriate time. This ensures that records are kept long enough for compliance and security reasons, but no too long for compliance and performance reasons.
Rule body yaml
AnalysisType: policy
Filename: aws_redshift_cluster_snapshot_retention_acceptable.py
PolicyID: "AWS.Redshift.Cluster.SnapshotRetentionAcceptable"
DisplayName: "AWS Redshift Cluster Has Acceptable Snapshot Retention Period"
Enabled: false
ResourceTypes:
- AWS.Redshift.Cluster
Tags:
- AWS
- PCI
- Database
Reports:
PCI:
- 3.1
Severity: Low
Description: >
This policy validates that Redshift Cluster snapshot retention periods are set to an appropriate time. This ensures that records are kept long enough for compliance and security reasons, but no too long for compliance and performance reasons.
Runbook: >
Adjust the Cluster snapshot retention period to be an appropriate length.
Reference: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-snapshots.html
Tests:
- Name: Insufficient Backup Retention Period
ExpectedResult: false
Resource:
{
"AllowVersionUpgrade": false,
"AutomatedSnapshotRetentionPeriod": 1,
"AvailabilityZone": "us-west-2d",
"ClusterAvailabilityStatus": "Available",
"ClusterCreateTime": "2019-01-01T00:00:00.0100Z",
"ClusterIdentifier": "redshift-cluster-2",
"ClusterNodes":
[
{
"NodeRole": "SHARED",
"PrivateIPAddress": "172.0.0.0",
"PublicIPAddress": "52.0.0.0",
},
],
"ClusterParameterGroups":
[
{
"ClusterParameterStatusList": null,
"ParameterApplyStatus": "in-sync",
"ParameterGroupName": "default.redshift-1.0",
},
],
"ClusterPublicKey": "ssh-rsa abcd+111/222/333/444 Amazon-Redshift\n",
"ClusterRevisionNumber": "8205",
"ClusterSecurityGroups": null,
"ClusterSnapshotCopyStatus": null,
"ClusterStatus": "available",
"ClusterSubnetGroupName": "default",
"ClusterVersion": "1.0",
"DBName": "example",
"DataTransferProgress": null,
"DeferredMaintenanceWindows": null,
"ElasticIpStatus": null,
"ElasticResizeNumberOfNodeOptions": null,
"Encrypted": true,
"Endpoint":
{
"Address": "redshift-cluster-2.abcdefg.us-west-2.redshift.amazonaws.com",
"Port": 5439,
},
"EnhancedVpcRouting": false,
"HsmStatus": null,
"IamRoles": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/abcdefg-111-222-333",
"LoggingStatus":
{
"BucketName": "example-bucket",
"LastFailureMessage": null,
"LastFailureTime": null,
"LastSuccessfulDeliveryTime": "2019-01-01T00:00:00Z",
"LoggingEnabled": true,
"S3KeyPrefix": null,
},
"MaintenanceTrackName": "current",
"ManualSnapshotRetentionPeriod": -1,
"MasterUsername": "awsuser",
"ModifyStatus": null,
"NodeType": "dc2.large",
"NumberOfNodes": 1,
"PendingActions": null,
"PendingModifiedValues":
{
"AutomatedSnapshotRetentionPeriod": null,
"ClusterIdentifier": null,
"ClusterType": null,
"ClusterVersion": null,
"EncryptionType": null,
"EnhancedVpcRouting": null,
"MaintenanceTrackName": null,
"MasterUserPassword": null,
"NodeType": null,
"NumberOfNodes": null,
"PubliclyAccessible": null,
},
"PreferredMaintenanceWindow": "fri:11:30-fri:12:00",
"PubliclyAccessible": true,
"ResizeInfo": null,
"RestoreStatus": null,
"SnapshotScheduleIdentifier": null,
"SnapshotScheduleState": null,
"Tags": { "environment": "pci" },
"VpcId": "vpc-6aa60b12",
"VpcSecurityGroups": null,
}
- Name: Sufficient Backup Retention Period
ExpectedResult: true
Resource:
{
"AllowVersionUpgrade": false,
"AutomatedSnapshotRetentionPeriod": 5,
"AvailabilityZone": "us-west-2d",
"ClusterAvailabilityStatus": "Available",
"ClusterCreateTime": "2019-01-01T00:00:00.0100Z",
"ClusterIdentifier": "redshift-cluster-2",
"ClusterNodes":
[
{
"NodeRole": "SHARED",
"PrivateIPAddress": "172.0.0.0",
"PublicIPAddress": "52.0.0.0",
},
],
"ClusterParameterGroups":
[
{
"ClusterParameterStatusList": null,
"ParameterApplyStatus": "in-sync",
"ParameterGroupName": "default.redshift-1.0",
},
],
"ClusterPublicKey": "ssh-rsa abcd+111/222/333/444 Amazon-Redshift\n",
"ClusterRevisionNumber": "8205",
"ClusterSecurityGroups": null,
"ClusterSnapshotCopyStatus": null,
"ClusterStatus": "available",
"ClusterSubnetGroupName": "default",
"ClusterVersion": "1.0",
"DBName": "example",
"DataTransferProgress": null,
"DeferredMaintenanceWindows": null,
"ElasticIpStatus": null,
"ElasticResizeNumberOfNodeOptions": null,
"Encrypted": true,
"Endpoint":
{
"Address": "redshift-cluster-2.abcdefg.us-west-2.redshift.amazonaws.com",
"Port": 5439,
},
"EnhancedVpcRouting": false,
"HsmStatus": null,
"IamRoles": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/abcdefg-111-222-333",
"LoggingStatus":
{
"BucketName": "example-bucket",
"LastFailureMessage": null,
"LastFailureTime": null,
"LastSuccessfulDeliveryTime": "2019-01-01T00:00:00Z",
"LoggingEnabled": true,
"S3KeyPrefix": null,
},
"MaintenanceTrackName": "current",
"ManualSnapshotRetentionPeriod": -1,
"MasterUsername": "awsuser",
"ModifyStatus": null,
"NodeType": "dc2.large",
"NumberOfNodes": 1,
"PendingActions": null,
"PendingModifiedValues":
{
"AutomatedSnapshotRetentionPeriod": null,
"ClusterIdentifier": null,
"ClusterType": null,
"ClusterVersion": null,
"EncryptionType": null,
"EnhancedVpcRouting": null,
"MaintenanceTrackName": null,
"MasterUserPassword": null,
"NodeType": null,
"NumberOfNodes": null,
"PubliclyAccessible": null,
},
"PreferredMaintenanceWindow": "fri:11:30-fri:12:00",
"PubliclyAccessible": true,
"ResizeInfo": null,
"RestoreStatus": null,
"SnapshotScheduleIdentifier": null,
"SnapshotScheduleState": null,
"Tags": { "environment": "pci" },
"VpcId": "vpc-6aa60b12",
"VpcSecurityGroups": null,
}
Detection logic
Condition
not (AutomatedSnapshotRetentionPeriod ge "3" and AutomatedSnapshotRetentionPeriod le "90")
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
AutomatedSnapshotRetentionPeriod | ge | 3 |
AutomatedSnapshotRetentionPeriod | le | 90 |