Control: 2 Connections to Redshift Serverless workgroups should be required to use SSL
Description
This control checks whether connections to an Amazon Redshift Serverless workgroup are required to encrypt data in transit. The control fails if the require_ssl configuration parameter for the workgroup is set to false.
An Amazon Redshift Serverless workgroup is a collection of compute resources that groups together compute resources like RPUs, VPC subnet groups, and security groups. Properties of a workgroup include network and security settings. These settings specify whether connections to a workgroup should be required to use SSL to encrypt data in transit.
Remediation
For information about updating the settings for an Amazon Redshift Serverless workgroup to require SSL connections, see Connecting to Amazon Redshift Serverless in the Amazon Redshift Management Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_redshiftserverless_2
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_redshiftserverless_2 --share
SQL
This control uses a named query:
with workgroup_require_ssl_parameter_value as ( select workgroup_arn from aws_redshiftserverless_workgroup as w, jsonb_array_elements(config_parameters) as p where p ->> 'ParameterKey' = 'require_ssl' and p ->> 'ParameterValue' = 'true')select w.workgroup_arn as resource, case when p.workgroup_arn is not null then 'ok' else 'alarm' end as status, case when p.workgroup_arn is not null then title || ' encryption in transit enabled.' else title || ' encryption in transit disabled.' end as reason , region, account_idfrom aws_redshiftserverless_workgroup as w left join workgroup_require_ssl_parameter_value as p on w.workgroup_arn = p.workgroup_arn;