Check if Redshift Clusters Have In-Transit Encryption Enabled

Overview

This check verifies that your Amazon Redshift clusters require SSL/TLS encryption for all client connections. When enabled, this setting forces all data transmitted between your applications and the Redshift cluster to be encrypted, protecting it from interception.

Risk

Without in-transit encryption, data traveling between clients and your Redshift cluster is sent in plain text. This creates several serious risks:

• Data exposure: Credentials, queries, and query results can be intercepted by attackers
• Data tampering: SQL statements or returned data could be modified in transit
• Session hijacking: Attackers could take over database sessions, disrupting workloads

This is a high severity finding that affects compliance with CIS, GDPR, HIPAA, PCI-DSS, SOC2, and other frameworks.

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify Redshift parameter groups, or
• AWS CLI configured with appropriate credentials

AWS Console Method

1. Open the Amazon Redshift console
2. In the left navigation, click Configurations, then Parameter groups
3. Select the parameter group associated with your cluster
4. Click Edit parameters
5. Find the parameter named require_ssl
6. Change its value to true
7. Click Save
8. Important: Reboot your cluster for the change to take effect (this parameter requires a restart)

To reboot the cluster:

1. Go to Clusters in the left navigation
2. Select your cluster
3. From the Actions dropdown, choose Reboot

AWS CLI (optional)

Step 1: Identify the parameter group used by your cluster

aws redshift describe-clusters \
    --region us-east-1 \
    --query "Clusters[*].[ClusterIdentifier,ClusterParameterGroups[0].ParameterGroupName]" \
    --output table

Step 2: Enable require_ssl in the parameter group

Replace <your-parameter-group-name> with the actual parameter group name:

aws redshift modify-cluster-parameter-group \
    --region us-east-1 \
    --parameter-group-name <your-parameter-group-name> \
    --parameters "ParameterName=require_ssl,ParameterValue=true"

Step 3: Reboot the cluster to apply the change

Replace <your-cluster-identifier> with your cluster name:

aws redshift reboot-cluster \
    --region us-east-1 \
    --cluster-identifier <your-cluster-identifier>

CloudFormation (optional)

Create or update a parameter group with SSL required:

AWSTemplateFormatVersion: '2010-09-09'
Description: Redshift Parameter Group with SSL Required

Parameters:
  ParameterGroupName:
    Type: String
    Description: Name for the Redshift parameter group
    Default: redshift-ssl-required

Resources:
  RedshiftSSLParameterGroup:
    Type: AWS::Redshift::ClusterParameterGroup
    Properties:
      Description: Parameter group enforcing SSL connections
      ParameterGroupFamily: redshift-1.0
      ParameterGroupName: !Ref ParameterGroupName
      Parameters:
        - ParameterName: require_ssl
          ParameterValue: 'true'

Outputs:
  ParameterGroupNameOutput:
    Description: The name of the parameter group
    Value: !Ref RedshiftSSLParameterGroup

After deploying, associate this parameter group with your cluster and reboot it.

Terraform (optional)

variable "parameter_group_name" {
  description = "Name for the Redshift parameter group"
  type        = string
  default     = "redshift-ssl-required"
}

resource "aws_redshift_parameter_group" "ssl_required" {
  name   = var.parameter_group_name
  family = "redshift-1.0"

  parameter {
    name  = "require_ssl"
    value = "true"
  }

  tags = {
    Purpose = "Enforce SSL connections"
  }
}

# Reference this parameter group in your cluster configuration:
# cluster_parameter_group_name = aws_redshift_parameter_group.ssl_required.name

After applying, associate this parameter group with your cluster and reboot it.

Verification

After making changes and rebooting your cluster:

1. In the Redshift console, go to Configurations > Parameter groups
2. Click on your parameter group
3. Search for require_ssl and confirm it shows true

CLI verification

aws redshift describe-cluster-parameters \
    --region us-east-1 \
    --parameter-group-name <your-parameter-group-name> \
    --query "Parameters[?ParameterName=='require_ssl'].ParameterValue" \
    --output text

This should return true.

You can also test the connection by attempting to connect without SSL - it should be rejected.

Additional Resources

• Amazon Redshift Database Encryption
• Configuring Security Options for Connections
• Amazon Redshift Parameter Groups
• Prowler Check Documentation

Notes

• The require_ssl parameter is a static parameter, meaning a cluster reboot is required for changes to take effect
• After enabling SSL, ensure your client applications are configured to use SSL connections
• If you are using the default parameter group, you cannot modify it directly - create a custom parameter group instead, then associate it with your cluster
• Consider also enabling encryption at rest for complete data protection