Verify that new Amazon Redshift clusters have required SSL endpoints
Created by Priyanka Chaudhary (AWS)
Environment: Production | Technologies: Security, identity, compliance; Analytics | AWS services: AWS CloudTrail; Amazon CloudWatch Events; Amazon Redshift; Amazon SNS; AWS Lambda |
Summary
This pattern provides an Amazon Web Services (AWS) CloudFormation template that automatically notifies you when a new Amazon Redshift cluster is launched without Secure Sockets Layer (SSL) endpoints.
Amazon Redshift is a fully managed, petabyte-scale, cloud-based data warehouse service. It is designed for large-scale dataset storage and analysis. It is also used to perform large-scale database migrations. For security, Amazon Redshift supports SSL to encrypt the connection between the user's SQL Server client application and the Amazon Redshift cluster. To configure your cluster to require an SSL connection, you set the require_SSL parameter to true in the parameter group that is associated with the cluster during launch.
The security control provided with this pattern monitors Amazon Redshift API calls in AWS CloudTrail logs and initiates an Amazon CloudWatch Events event for the CreateCluster, ModifyCluster, RestoreFromClusterSnapshot, CreateClusterParameterGroup, and ModifyClusterParameterGroup APIs. When the event detects one of these APIs, it calls AWS Lambda, which runs a Python script. The Python function analyzes the CloudWatch event for the listed CloudTrail events. When an Amazon Redshift cluster is created, modified, or restored from an existing snapshot, a new parameter group is created for the cluster, or an existed parameter group is modified, the function checks the require_SSL parameter for the cluster. If the parameter value is false, the function sends an Amazon Simple Notification Service (Amazon SNS) notification to the user with the relevant information: the Amazon Redshift cluster name, AWS Region, AWS account, and Amazon Resource Name (ARN) for Lambda that this notification is sourced from.
Prerequisites and limitations
Prerequisites
An active AWS account.
A virtual private cloud (VPC) with a cluster subnet group, and an associated security group.
Limitations
This security control is regional. You must deploy it in each AWS Region you want to monitor.
Architecture
Target architecture
Automation and scale
If you are using AWS Organizations
, you can use AWS Cloudformation StackSets to deploy this template in multiple accounts that you want to monitor.
Tools
AWS services
AWS CloudFormation – AWS CloudFormation helps you model and set up your AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle. You can use a template to describe your resources and their dependencies, and launch and configure them together as a stack, instead of managing resources individually.
Amazon CloudWatch Events – Amazon CloudWatch Events delivers a near real-time stream of system events that describe changes in AWS resources.
AWS Lambda
– AWS Lambda is a compute service that supports running code without provisioning or managing servers. Amazon Redshift – Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud.
Amazon S3 – Amazon Simple Storage Service (Amazon S3) is an object storage service. You can use Amazon S3 to store and retrieve any amount of data at any time, from anywhere on the web.
Amazon SNS – Amazon Simple Notification Service (Amazon SNS) coordinates and manages the delivery or sending of messages between publishers and clients, including web servers and email addresses. Subscribers receive all messages published to the topics to which they subscribe, and all subscribers to a topic receive the same messages.
Code
This pattern includes the following attachments:
RedshiftSSLEndpointsRequired.zip– The Lambda code for the security control.RedshiftSSLEndpointsRequired.yml– The CloudFormation template that sets up the event and Lambda function.
Epics
| Task | Description | Skills required |
|---|---|---|
Define the S3 bucket. | On the Amazon S3 console | Cloud architect |
Upload the Lambda code. | Upload the Lambda code .zip file provided in the Attachments section to the S3 bucket. | Cloud architect |
| Task | Description | Skills required |
|---|---|---|
Launch the AWS CloudFormation template. | Open the AWS CloudFormation console | Cloud architect |
Complete the parameters in the template. | When you launch the template, you'll be prompted for the following information:
| Cloud architect |
| Task | Description | Skills required |
|---|---|---|
Confirm the subscription. | When the CloudFormation template deploys successfully, it sends a subscription email to the email address you provided. You must confirm this email subscription to start receiving violation notifications. | Cloud architect |
Related resources
Creating an S3 bucket (Amazon S3 documentation)
Uploading files to an S3 bucket (Amazon S3 documentation)
Creating a stack on the AWS CloudFormation console (AWS CloudFormation documentation)
Creating a CloudWatch Events rule that triggers on an AWS API call using AWS CloudTrail (AWS CloudTrail documentation)
Creating an Amazon Redshift cluster (Amazon Redshift documentation)
Configuring security options for connections (Amazon Redshift documentation)
Attachments
To access additional content that is associated with this document, unzip the following file: attachment.zip
