Redshift Cluster Automatic Version Upgrades

Overview

This check verifies that Amazon Redshift clusters have automatic major version upgrades enabled. When enabled, AWS automatically applies major engine upgrades during your scheduled maintenance window, keeping your cluster current with the latest features and security patches.

Risk

Running outdated Redshift engine versions exposes your data warehouse to known security vulnerabilities. Without automatic upgrades:

• Security vulnerabilities remain unpatched, increasing the risk of data breaches
• Known bugs may cause unexpected downtime or data integrity issues
• Extended patch delays widen your vulnerability window
• Compliance requirements may be violated if systems are not kept current

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify Redshift clusters, or
• AWS CLI configured with appropriate credentials

Required IAM permissions

Your IAM user or role needs the following permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "redshift:ModifyCluster",
        "redshift:DescribeClusters"
      ],
      "Resource": "arn:aws:redshift:us-east-1:<account-id>:cluster:<cluster-identifier>"
    }
  ]
}

AWS Console Method

1. Sign in to the AWS Console and navigate to Amazon Redshift
2. In the left navigation, click Clusters
3. Select the cluster you want to modify by clicking its identifier
4. Click the Maintenance tab
5. Click Modify (or Edit maintenance)
6. Find the Maintenance settings section
7. Check the box for Allow version upgrade (or toggle it to Enabled)
8. Click Save changes

The setting takes effect immediately. AWS will apply major version upgrades during your next scheduled maintenance window.

AWS CLI (optional)

Use the following command to enable automatic version upgrades on an existing cluster:

aws redshift modify-cluster \
    --cluster-identifier <your-cluster-identifier> \
    --allow-version-upgrade \
    --region us-east-1

Replace <your-cluster-identifier> with your actual cluster name.

Example:

aws redshift modify-cluster \
    --cluster-identifier my-data-warehouse \
    --allow-version-upgrade \
    --region us-east-1

Verify the change:

aws redshift describe-clusters \
    --cluster-identifier <your-cluster-identifier> \
    --query 'Clusters[0].AllowVersionUpgrade' \
    --region us-east-1

This should return true.

CloudFormation (optional)

When creating or updating a Redshift cluster via CloudFormation, set AllowVersionUpgrade to true:

AWSTemplateFormatVersion: '2010-09-09'
Description: Redshift cluster with automatic version upgrades enabled

Parameters:
  ClusterIdentifier:
    Type: String
    Description: The identifier of the Redshift cluster
  MasterUsername:
    Type: String
    Description: The master username for the cluster
    NoEcho: true
  MasterUserPassword:
    Type: String
    Description: The master password for the cluster
    NoEcho: true
  NodeType:
    Type: String
    Default: dc2.large
    Description: The node type for the cluster
    AllowedValues:
      - dc2.large
      - dc2.8xlarge
      - ra3.large
      - ra3.xlplus
      - ra3.4xlarge
      - ra3.16xlarge

Resources:
  RedshiftCluster:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterIdentifier: !Ref ClusterIdentifier
      DBName: mydb
      MasterUsername: !Ref MasterUsername
      MasterUserPassword: !Ref MasterUserPassword
      NodeType: !Ref NodeType
      ClusterType: single-node
      AllowVersionUpgrade: true  # Enable automatic version upgrades

Outputs:
  ClusterEndpoint:
    Description: The endpoint of the Redshift cluster
    Value: !GetAtt RedshiftCluster.Endpoint.Address

Best practice: Use AWS Secrets Manager or Systems Manager Parameter Store for credentials instead of template parameters. See Dynamic References in the CloudFormation documentation.

Terraform (optional)

When managing Redshift clusters with Terraform, set allow_version_upgrade = true:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "cluster_identifier" {
  description = "The identifier of the Redshift cluster"
  type        = string
}

variable "master_username" {
  description = "The master username for the cluster"
  type        = string
  sensitive   = true
}

variable "master_password" {
  description = "The master password for the cluster"
  type        = string
  sensitive   = true
}

resource "aws_redshift_cluster" "example" {
  cluster_identifier = var.cluster_identifier
  database_name      = "mydb"
  master_username    = var.master_username
  master_password    = var.master_password
  node_type          = "dc2.large"
  cluster_type       = "single-node"

  # Enable automatic version upgrades
  allow_version_upgrade = true

  skip_final_snapshot = true
}

output "cluster_endpoint" {
  description = "The endpoint of the Redshift cluster"
  value       = aws_redshift_cluster.example.endpoint
}

To modify an existing cluster, add or update the allow_version_upgrade attribute and run:

terraform plan
terraform apply

Verification

After making the change, verify that automatic version upgrades are enabled:

1. In the AWS Console, go to Amazon Redshift > Clusters
2. Click on your cluster identifier
3. On the Maintenance tab, confirm that Allow version upgrade shows as Enabled (or Yes)

CLI verification

aws redshift describe-clusters \
    --cluster-identifier <your-cluster-identifier> \
    --query 'Clusters[0].{ClusterIdentifier:ClusterIdentifier,AllowVersionUpgrade:AllowVersionUpgrade}' \
    --output table \
    --region us-east-1

Expected output:

--------------------------------------------------
|              DescribeClusters                  |
+------------------------+-----------------------+
|  AllowVersionUpgrade   |  ClusterIdentifier    |
+------------------------+-----------------------+
|  True                  |  my-data-warehouse    |
+------------------------+-----------------------+

Additional Resources

• Managing Cluster Operations - Amazon Redshift
• Cluster Maintenance - Amazon Redshift
• AWS Systems Manager Automation Runbook for Redshift Maintenance

Notes

• Maintenance window: Major version upgrades occur during the cluster's scheduled maintenance window. Review your maintenance window settings to ensure upgrades happen at an acceptable time.
• Testing recommendation: Before enabling automatic upgrades in production, test new versions in a staging environment to ensure compatibility with your applications and queries.
• Backup strategy: Maintain regular snapshots so you can restore to a previous state if needed after an upgrade.
• No immediate upgrade: Enabling this setting does not trigger an immediate upgrade. AWS will apply the next major version during the upcoming maintenance window when one becomes available.
• Default behavior: For new Redshift clusters, AllowVersionUpgrade defaults to true. This check may flag clusters where it was explicitly disabled or older clusters created with different defaults.