AWS securityhub documentation change
Summary
Added new control [Redshift.17] requiring tags on cluster parameter groups, updated parameter constraints for tag keys in multiple controls, and consolidated introductory text
Security assessment
The change adds documentation for a new security control (Redshift.17) enforcing tagging of parameter groups, which supports resource management and access control best practices. Parameter constraint updates clarify existing tagging requirements. No evidence of addressing a specific vulnerability.
Diff
diff --git a/securityhub/latest/userguide/redshift-controls.md b/securityhub/latest/userguide/redshift-controls.md index a97633c26..087d63800 100644 --- a//securityhub/latest/userguide/redshift-controls.md +++ b//securityhub/latest/userguide/redshift-controls.md @@ -5 +5 @@ -[Redshift.1] Amazon Redshift clusters should prohibit public access[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled[Redshift.4] Amazon Redshift clusters should have audit logging enabled[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled[Redshift.7] Redshift clusters should use enhanced VPC routing[Redshift.8] Amazon Redshift clusters should not use the default Admin username[Redshift.9] Redshift clusters should not use the default database name[Redshift.10] Redshift clusters should be encrypted at rest[Redshift.11] Redshift clusters should be tagged[Redshift.12] Redshift event notification subscriptions should be tagged[Redshift.13] Redshift cluster snapshots should be tagged[Redshift.14] Redshift cluster subnet groups should be tagged[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones +[Redshift.1] Amazon Redshift clusters should prohibit public access[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled[Redshift.4] Amazon Redshift clusters should have audit logging enabled[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled[Redshift.7] Redshift clusters should use enhanced VPC routing[Redshift.8] Amazon Redshift clusters should not use the default Admin username[Redshift.9] Redshift clusters should not use the default database name[Redshift.10] Redshift clusters should be encrypted at rest[Redshift.11] Redshift clusters should be tagged[Redshift.12] Redshift event notification subscriptions should be tagged[Redshift.13] Redshift cluster snapshots should be tagged[Redshift.14] Redshift cluster subnet groups should be tagged[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones[Redshift.17] Redshift cluster parameter groups should be tagged @@ -9,3 +9 @@ -These AWS Security Hub controls evaluate the Amazon Redshift service and resources. - -These controls may not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). +These AWS Security Hub controls evaluate the Amazon Redshift service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). @@ -264 +262 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | `No default value` +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | `No default value` @@ -294 +292 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | `No default value` +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | `No default value` @@ -324 +322 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | `No default value` +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | `No default value` @@ -354 +352 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | `No default value` +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | `No default value` @@ -413,0 +412,30 @@ To modify a Redshift cluster subnet group to span multiple AZs, see [Modifying a +## [Redshift.17] Redshift cluster parameter groups should be tagged + +**Category:** Identify > Inventory > Tagging + +**Severity:** Low + +**Resource type:** `AWS::Redshift::ClusterParameterGroup` + +**AWS Config rule:** [redshift-cluster-parameter-group-tagged](https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-parameter-group-tagged.html) + +**Schedule type:** Change triggered + +**Parameters:** + +Parameter | Description | Type | Allowed custom values | Security Hub default value +---|---|---|---|--- +`requiredKeyTags` | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value + +This control checks whether an Amazon Redshift cluster parameter group has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the parameter group doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the parameter group doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. + +A tag is a label that you create and assign to an AWS resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the _IAM User Guide_. For more information about tags, see the [Tagging AWS Resources and Tag Editor User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html). + +###### Note + +Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many AWS services. They aren't intended to be used for private or sensitive data. + +### Remediation + +For information about adding tags to an Amazon Redshift cluster parameter group, see [Tag resources in Amazon Redshift](https://docs.aws.amazon.com/redshift/latest/mgmt/amazon-redshift-tagging.html) in the _Amazon Redshift Management Guide_. +