turbot/steampipe-mod-aws-compliance

Control: Connections to Redshift Serverless workgroups should be required to use SSL

Description

This control checks whether connections to an Amazon Redshift Serverless workgroup are required to encrypt data in transit. The control fails if the require_ssl configuration parameter for the workgroup is set to false.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.redshiftserverless_workgroup_encryption_in_transit_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.redshiftserverless_workgroup_encryption_in_transit_enabled --share

SQL

This control uses a named query:

with workgroup_require_ssl_parameter_value as (
select
workgroup_arn
from
aws_redshiftserverless_workgroup as w,
jsonb_array_elements(config_parameters) as p
where
p ->> 'ParameterKey' = 'require_ssl'
and p ->> 'ParameterValue' = 'true'
)
select
w.workgroup_arn as resource,
case
when p.workgroup_arn is not null then 'ok'
else 'alarm'
end as status,
case
when p.workgroup_arn is not null then title || ' encryption in transit enabled.'
else title || ' encryption in transit disabled.'
end as reason
, region, account_id
from
aws_redshiftserverless_workgroup as w
left join workgroup_require_ssl_parameter_value as p on w.workgroup_arn = p.workgroup_arn;

Tags