turbot/steampipe-mod-aws-compliance

Control: 2 Connections to Redshift Serverless workgroups should be required to use SSL

Description

This control checks whether connections to an Amazon Redshift Serverless workgroup are required to encrypt data in transit. The control fails if the require_ssl configuration parameter for the workgroup is set to false.

An Amazon Redshift Serverless workgroup is a collection of compute resources that groups together compute resources like RPUs, VPC subnet groups, and security groups. Properties of a workgroup include network and security settings. These settings specify whether connections to a workgroup should be required to use SSL to encrypt data in transit.

Remediation

For information about updating the settings for an Amazon Redshift Serverless workgroup to require SSL connections, see Connecting to Amazon Redshift Serverless in the Amazon Redshift Management Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_redshiftserverless_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_redshiftserverless_2 --share

SQL

This control uses a named query:

with workgroup_require_ssl_parameter_value as (
select
workgroup_arn
from
aws_redshiftserverless_workgroup as w,
jsonb_array_elements(config_parameters) as p
where
p ->> 'ParameterKey' = 'require_ssl'
and p ->> 'ParameterValue' = 'true'
)
select
w.workgroup_arn as resource,
case
when p.workgroup_arn is not null then 'ok'
else 'alarm'
end as status,
case
when p.workgroup_arn is not null then title || ' encryption in transit enabled.'
else title || ' encryption in transit disabled.'
end as reason
, region, account_id
from
aws_redshiftserverless_workgroup as w
left join workgroup_require_ssl_parameter_value as p on w.workgroup_arn = p.workgroup_arn;

Tags