Control: Connections to Redshift Serverless workgroups should be required to use SSL
Description
This control checks whether connections to an Amazon Redshift Serverless workgroup are required to encrypt data in transit. The control fails if the require_ssl configuration parameter for the workgroup is set to false.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.redshiftserverless_workgroup_encryption_in_transit_enabled
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.redshiftserverless_workgroup_encryption_in_transit_enabled --share
SQL
This control uses a named query:
with workgroup_require_ssl_parameter_value as ( select workgroup_arn from aws_redshiftserverless_workgroup as w, jsonb_array_elements(config_parameters) as p where p ->> 'ParameterKey' = 'require_ssl' and p ->> 'ParameterValue' = 'true')select w.workgroup_arn as resource, case when p.workgroup_arn is not null then 'ok' else 'alarm' end as status, case when p.workgroup_arn is not null then title || ' encryption in transit enabled.' else title || ' encryption in transit disabled.' end as reason , region, account_idfrom aws_redshiftserverless_workgroup as w left join workgroup_require_ssl_parameter_value as p on w.workgroup_arn = p.workgroup_arn;