Summary Prerequisites and limitations Architecture Tools Epics Related resources Attachments

Ensure an Amazon Redshift cluster is encrypted upon creation

Created by Mansi Suratwala (AWS)

Environment: Production	Technologies: Analytics; Data lakes; Security, identity, compliance	Workload: All other workloads
AWS services: Amazon Redshift; Amazon SNS; AWS CloudTrail; Amazon CloudWatch; AWS Lambda; Amazon S3

Summary

This pattern provides an AWS CloudFormation template that provides you with automatic notification when a new Amazon Redshift cluster is created without encryption.

The AWS CloudFormation template creates an Amazon CloudWatch Events event and an AWS Lambda function. The event watches for any Amazon Redshift cluster being created or being restored from a snapshot through AWS CloudTrail. If the cluster is created without AWS Key Management Service (AWS KMS) or cloud hardware security model (HSM) encryption in the AWS account, CloudWatch initiates a Lambda function that sends you an Amazon Simple Notification Service (Amazon SNS) notification informing you of the violation.

Prerequisites and limitations

Prerequisites

An active AWS account.
A virtual private cloud (VPC) with a cluster subnet group, and an associated security group.

Limitations

The AWS CloudFormation template can be deployed for the CreateCluster and RestoreFromClusterSnapshot actions only.

Architecture

Target technology stack

Amazon Redshift
AWS CloudTrail
Amazon CloudWatch
AWS Lambda
Amazon Simple Storage Service (Amazon S3)
Amazon SNS

Target architecture

Workflow diagram showing AWS services for encryption violation detection and notification.

Automation and scale

You can use the AWS CloudFormation template multiple times for different AWS Regions and accounts. You need to run it only one time in each Region or account.

Tools

Tools

Amazon Redshift – Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. Amazon Redshift is integrated with your data lake, which enables you to use your data to acquire new insights for your business and customers.
AWS CloudTrail – AWS CloudTrail is an AWS service that helps you implement governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.
Amazon CloudWatch Events – Amazon CloudWatch Events delivers a near real-time stream of system events that describe changes in AWS resources.
AWS Lambda – AWS Lambda supports running code without provisioning or managing servers. AWS Lambda runs your code only when needed and scales automatically, from a few requests per day to thousands per second.
Amazon S3 – Amazon S3 is a highly scalable object storage service that you can use for a wide range of storage solutions, including websites, mobile applications, backups, and data lakes.
Amazon SNS – Amazon SNS is a web service that coordinates and manages the delivery or sending of messages to between publishers and clients, including web servers and email addresses.

Code

A .zip file of the project is available as an attachment.

Epics

Task	Description	Skills required
Define the S3 bucket.	On the Amazon S3 console, choose or create an S3 bucket. This S3 bucket will host the Lambda code .zip file. Your S3 bucket needs to be in the same Region as the Amazon Redshift cluster being evaluated. The S3 bucket’s name cannot contain leading slashes.	Cloud Architect

Task	Description	Skills required
Upload the Lambda code to the S3 bucket.	Upload the Lambda code provided in the Attachments section to the S3 bucket. The S3 bucket must be in the same Region as the Amazon Redshift cluster being evaluated.	Cloud Architect

Task	Description	Skills required
Deploy the AWS CloudFormation template.	Deploy the AWS CloudFormation template that's provided as an attachment to this pattern. In the next epic, provide the values for the parameters.	Cloud Architect

Task	Description	Skills required
Name the S3 bucket.	Enter the name of the S3 bucket that you created in the first epic.	Cloud Architect
Provide the S3 key.	Provide the location of the Lambda code .zip file in your S3 bucket, without leading slashes (for example, `<directory>/<file-name>.zip`).	Cloud Architect
Provide an email address.	Provide an active email address to receive Amazon SNS notifications.	Cloud Architect
Define the logging level.	Define the logging level and frequency for your Lambda function. `Info` designates detailed informational messages on the application’s progress. `Error` designates error events that could still allow the application to continue running. `Warning` designates potentially harmful situations.	Cloud Architect

Task	Description	Skills required
Confirm the subscription.	When the template successfully deploys, it sends a subscription email to the email address provided. You must confirm this email subscription to receive violation notifications.	Cloud Architect

Related resources

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Ensure that an IAM profile is associated with an EC2 instance

Export a report of IAM Identity Center identities and their assignments