Redshift Cluster Requires SSL
Overview
This check verifies that Amazon Redshift clusters require SSL/TLS encryption for all client connections. When require_ssl is set to true in the cluster's parameter group, Redshift rejects any connection attempt that does not use encryption.
Encrypting data in transit protects sensitive information (queries, credentials, and results) as it travels between your applications and the Redshift cluster.
Risk
If SSL is not required, connections to your Redshift cluster may occur over unencrypted channels. This creates several security risks:
- Data interception: Attackers on the network path could read sensitive data, including database credentials and query results
- Data tampering: SQL queries or returned data could be modified in transit without detection
- Session hijacking: Attackers could take over existing database sessions
- Compliance violations: Many regulatory frameworks (PCI DSS, HIPAA, SOC 2) require encryption of data in transit
Remediation Steps
Prerequisites
- AWS Console access with permissions to modify Redshift parameter groups
- Knowledge of which parameter group your Redshift cluster uses
Finding your cluster's parameter group
- Go to Amazon Redshift in the AWS Console
- Click Clusters in the left menu
- Select your cluster
- Look for Parameter group in the cluster details
If your cluster uses the default.redshift-1.0 parameter group, you must create a custom parameter group first (the default cannot be modified).
AWS Console Method
- Open the Amazon Redshift console at https://console.aws.amazon.com/redshift/
- In the left navigation, click Configurations then Parameter groups
- Select the parameter group used by your cluster
- Click Edit parameters
- Find the
require_sslparameter - Change its value to
true - Click Save changes
- Important: Reboot your cluster to apply the change:
- Go to Clusters
- Select your cluster
- Click Actions > Reboot cluster
Note: Rebooting causes a brief service interruption. Plan this during a maintenance window.
AWS CLI (optional)
Step 1: Modify the parameter group
aws redshift modify-cluster-parameter-group \
--region us-east-1 \
--parameter-group-name <your-parameter-group-name> \
--parameters ParameterName=require_ssl,ParameterValue=true
Step 2: Reboot the cluster to apply changes
aws redshift reboot-cluster \
--region us-east-1 \
--cluster-identifier <your-cluster-identifier>
Replace:
<your-parameter-group-name>with your Redshift parameter group name<your-cluster-identifier>with your Redshift cluster identifier
CloudFormation (optional)
This template creates a Redshift parameter group with require_ssl enabled. You can then associate it with your cluster.
AWSTemplateFormatVersion: '2010-09-09'
Description: Redshift Parameter Group with SSL Required
Parameters:
ParameterGroupName:
Type: String
Default: redshift-ssl-required
Description: Name for the Redshift parameter group
Resources:
RedshiftParameterGroup:
Type: AWS::Redshift::ClusterParameterGroup
Properties:
Description: Redshift parameter group with SSL required
ParameterGroupFamily: redshift-1.0
ParameterGroupName: !Ref ParameterGroupName
Parameters:
- ParameterName: require_ssl
ParameterValue: 'true'
Tags:
- Key: Purpose
Value: EnforceSSL
Outputs:
ParameterGroupName:
Description: Name of the parameter group
Value: !Ref RedshiftParameterGroup
After deploying, associate this parameter group with your cluster and reboot it.
Terraform (optional)
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "parameter_group_name" {
description = "Name for the Redshift parameter group"
type = string
default = "redshift-ssl-required"
}
resource "aws_redshift_parameter_group" "ssl_required" {
name = var.parameter_group_name
family = "redshift-1.0"
description = "Redshift parameter group with SSL required"
parameter {
name = "require_ssl"
value = "true"
}
tags = {
Purpose = "EnforceSSL"
}
}
output "parameter_group_name" {
description = "Name of the parameter group"
value = aws_redshift_parameter_group.ssl_required.name
}
After applying, associate this parameter group with your cluster and reboot it.
Verification
After rebooting your cluster, verify that SSL is required:
- Go to Amazon Redshift > Configurations > Parameter groups
- Select your parameter group
- Confirm
require_sslis set totrue - Test a connection without SSL to confirm it is rejected
CLI verification
Check the parameter value:
aws redshift describe-cluster-parameters \
--region us-east-1 \
--parameter-group-name <your-parameter-group-name> \
--query "Parameters[?ParameterName=='require_ssl'].{Name:ParameterName,Value:ParameterValue}" \
--output table
Expected output:
----------------------------
|DescribeClusterParameters |
+-------------+------------+
| Name | Value |
+-------------+------------+
| require_ssl| true |
+-------------+------------+
Verify the cluster is using the correct parameter group:
aws redshift describe-clusters \
--region us-east-1 \
--cluster-identifier <your-cluster-identifier> \
--query "Clusters[0].ClusterParameterGroups[*].{ParameterGroupName:ParameterGroupName,Status:ParameterApplyStatus}" \
--output table
The ParameterApplyStatus should be in-sync after the reboot completes.
Additional Resources
- Amazon Redshift - Configure security options for connections
- Amazon Redshift parameter groups
- AWS::Redshift::ClusterParameterGroup (CloudFormation)
- aws_redshift_parameter_group (Terraform)
Notes
- Default parameter groups cannot be modified: If your cluster uses
default.redshift-1.0, you must create a custom parameter group, enable SSL, associate it with your cluster, and then reboot. - Cluster reboot required: Changes to
require_sslonly take effect after a cluster reboot. - Client configuration: After enabling
require_ssl, ensure all clients connect using SSL. Most modern Redshift drivers use SSL by default, but verify your connection strings includesslmode=requireor equivalent. - Performance: SSL encryption adds minimal overhead on modern hardware and should not noticeably impact performance.