Redshift Cluster Automated Snapshots
Overview
This check verifies that your Amazon Redshift clusters have automated snapshots enabled with a retention period greater than zero. Automated snapshots are point-in-time backups that AWS creates automatically, allowing you to restore your data warehouse if something goes wrong.
Risk
Without automated snapshots, your Redshift cluster has no recent recovery points. This means:
- Data loss: Accidental deletions, failed ETL jobs, or malicious changes cannot be undone
- Extended downtime: Recovery takes much longer without backups
- Compliance gaps: Many regulations require regular backups of data systems
- Forensic limitations: No historical snapshots to analyze if a security incident occurs
Severity: High
Remediation Steps
Prerequisites
You need permission to modify Redshift clusters in your AWS account. Specifically, the redshift:ModifyCluster permission is required.
AWS Console Method
- Sign in to the AWS Console and go to Amazon Redshift
- In the left navigation, click Clusters
- Select the cluster that needs remediation
- Click the Modify button (or choose Actions > Modify)
- Scroll to the Backup section
- Set Automated snapshot retention period to at least 1 day (7 days recommended)
- Click Modify cluster to save changes
The change takes effect immediately. No cluster restart is required.
AWS CLI (optional)
Use the modify-cluster command to enable automated snapshots:
# Enable automated snapshots with 7-day retention
aws redshift modify-cluster \
--cluster-identifier <your-cluster-identifier> \
--automated-snapshot-retention-period 7 \
--region us-east-1
Parameters:
--cluster-identifier: Your Redshift cluster's unique name--automated-snapshot-retention-period: Number of days to keep snapshots (1-35)
Example with a specific cluster:
aws redshift modify-cluster \
--cluster-identifier my-data-warehouse \
--automated-snapshot-retention-period 7 \
--region us-east-1
To check all clusters and their current snapshot settings:
aws redshift describe-clusters \
--query 'Clusters[*].{ClusterID:ClusterIdentifier,SnapshotRetention:AutomatedSnapshotRetentionPeriod}' \
--output table \
--region us-east-1
CloudFormation (optional)
Use the AutomatedSnapshotRetentionPeriod property when defining your Redshift cluster:
AWSTemplateFormatVersion: '2010-09-09'
Description: Redshift cluster with automated snapshots enabled
Parameters:
ClusterIdentifier:
Type: String
Description: Unique identifier for the Redshift cluster
MasterUsername:
Type: String
Description: Master username for the cluster
MasterUserPassword:
Type: String
Description: Master password for the cluster
NoEcho: true
NodeType:
Type: String
Default: dc2.large
Description: Node type for the cluster
SnapshotRetentionPeriod:
Type: Number
Default: 7
MinValue: 1
MaxValue: 35
Description: Number of days to retain automated snapshots
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterIdentifier: !Ref ClusterIdentifier
DBName: mydb
MasterUsername: !Ref MasterUsername
MasterUserPassword: !Ref MasterUserPassword
NodeType: !Ref NodeType
ClusterType: single-node
AutomatedSnapshotRetentionPeriod: !Ref SnapshotRetentionPeriod
Outputs:
ClusterEndpoint:
Description: Redshift cluster endpoint
Value: !GetAtt RedshiftCluster.Endpoint.Address
Key property:
AutomatedSnapshotRetentionPeriod: Set to 1-35 days (0 disables snapshots)
Terraform (optional)
Use the automated_snapshot_retention_period argument in your aws_redshift_cluster resource:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "cluster_identifier" {
description = "Unique identifier for the Redshift cluster"
type = string
}
variable "master_username" {
description = "Master username for the cluster"
type = string
}
variable "master_password" {
description = "Master password for the cluster"
type = string
sensitive = true
}
variable "node_type" {
description = "Node type for the cluster"
type = string
default = "dc2.large"
}
variable "snapshot_retention_period" {
description = "Number of days to retain automated snapshots (1-35)"
type = number
default = 7
}
resource "aws_redshift_cluster" "main" {
cluster_identifier = var.cluster_identifier
database_name = "mydb"
master_username = var.master_username
master_password = var.master_password
node_type = var.node_type
cluster_type = "single-node"
automated_snapshot_retention_period = var.snapshot_retention_period
skip_final_snapshot = false
final_snapshot_identifier = "${var.cluster_identifier}-final-snapshot"
}
output "cluster_endpoint" {
description = "Redshift cluster endpoint"
value = aws_redshift_cluster.main.endpoint
}
Key argument:
automated_snapshot_retention_period: Set to 1-35 (default is 1 if not specified)
Verification
After making changes, confirm automated snapshots are enabled:
- In the AWS Console, go to Amazon Redshift > Clusters
- Select your cluster and view the Backup tab
- Verify the Automated snapshot retention period shows a value greater than 0
CLI verification
aws redshift describe-clusters \
--cluster-identifier <your-cluster-identifier> \
--query 'Clusters[0].AutomatedSnapshotRetentionPeriod' \
--region us-east-1
The output should be a number greater than 0 (e.g., 7).
To re-run the Prowler check:
prowler aws -c redshift_cluster_automated_snapshot --region us-east-1
Additional Resources
- Amazon Redshift Snapshots
- AWS Redshift CloudFormation Reference
- Terraform aws_redshift_cluster Resource
Notes
- Retention period range: Valid values are 1-35 days. Setting to 0 disables automated snapshots entirely (not recommended).
- Storage costs: Automated snapshots consume storage. AWS provides free snapshot storage equal to your cluster's provisioned storage; you pay for storage beyond that.
- Cross-region copies: For disaster recovery, consider copying snapshots to another region. This requires additional configuration.
- Manual snapshots: Automated snapshots are deleted when the cluster is deleted. If you need long-term retention, create manual snapshots or copy automated snapshots before cluster deletion.
- No downtime: Enabling or changing snapshot retention does not cause cluster downtime.