Question 1

Is allow_version_upgrade enforced for CISA Cyber Essentials?

Accepted Answer

Yes, Ensure whether AWS Redshift clusters have the specified maintenance settings. Redshift clusters `allowVersionUpgrade` should be set to `true` and `automatedSnapshotRetentionPeriod` should be greater than 7.

Question 2

Is automated_snapshot_retention_period enforced for CISA Cyber Essentials?

Accepted Answer

Yes, This control checks whether AWS Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven.

Question 3

Is cloudwatch_log_group_kms_key_id enforced for CISA Cyber Essentials?

Accepted Answer

Yes, To help protect sensitive data at rest, ensure encryption is enabled for your AWS CloudWatch Log Group.

Question 4

Is encrypted enforced for CISA Cyber Essentials?

Accepted Answer

Yes, Ensure that your AWS Redshift clusters require TLS/SSL encryption to connect to SQL clients.

Question 5

Is kms_key_arn enforced for CISA Cyber Essentials?

Accepted Answer

Yes, Ensure that AWS Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption. The rule is compliant if encryption is enabled and the cluster is encrypted with the key provided in the kmsKeyArn parameter. The rule is non-compliant if the cluster is not encrypted or encrypted with another key.

Question 6

Is publicly_accessible enforced for CISA Cyber Essentials?

Accepted Answer

Yes, Manage access to resources in the AWS Cloud by ensuring that AWS Redshift clusters are not public.

AWS Redshift Terraform module

Terraform Module Source