Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: Redshift clusters should be encrypted with CMK

Description

Ensure Redshift cluster is encrypted using CMK. The rule is non-compliant if the Redshift clusters is not encrypted using CMK.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.redshift_cluster_encrypted_with_cmk

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.redshift_cluster_encrypted_with_cmk --share

SQL

This control uses a named query:

with redshift_clusters as (
  select
    arn,
    region,
    account_id,
    kms_key_id,
    encrypted,
    title,
    tags,
    _ctx
  from
  aws_redshift_cluster
), kms_keys as (
  select
    k.arn,
    k.key_manager
  from
    aws_kms_key as k
)
select
  r.arn as resource,
  case
    when not encrypted then 'alarm'
    when encrypted and c.key_manager = 'CUSTOMER' then 'ok'
    else 'alarm'
  end as status,
  case
    when not encrypted then title || ' not encrypted.'
    when encrypted and c.key_manager = 'CUSTOMER' then title || ' encrypted with CMK.'
    else title || ' not encrypted with CMK.'
  end as reason
  
  , region, account_id
from
  redshift_clusters as r
  left join kms_keys as c on r.kms_key_id = c.arn;

Tags

category = Compliance
plugin = aws
service = AWS/Redshift