AWS securityhub documentation change
Summary
Added new control [Redshift.18] requiring Multi-AZ deployments for Redshift clusters and removed backticks from AWS Config rule links
Security assessment
The new Redshift.18 control promotes high availability through Multi-AZ deployments, which improves fault tolerance but does not directly address a security vulnerability. Formatting changes to Config rule links are non-functional. Multi-AZ enhances resilience (security best practice) but isn't a response to a specific security flaw.
Diff
diff --git a/securityhub/latest/userguide/redshift-controls.md b/securityhub/latest/userguide/redshift-controls.md index 15e3aa83a..76597659f 100644 --- a//securityhub/latest/userguide/redshift-controls.md +++ b//securityhub/latest/userguide/redshift-controls.md @@ -5 +5 @@ -[Redshift.1] Amazon Redshift clusters should prohibit public access[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled[Redshift.4] Amazon Redshift clusters should have audit logging enabled[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled[Redshift.7] Redshift clusters should use enhanced VPC routing[Redshift.8] Amazon Redshift clusters should not use the default Admin username[Redshift.9] Redshift clusters should not use the default database name[Redshift.10] Redshift clusters should be encrypted at rest[Redshift.11] Redshift clusters should be tagged[Redshift.12] Redshift event notification subscriptions should be tagged[Redshift.13] Redshift cluster snapshots should be tagged[Redshift.14] Redshift cluster subnet groups should be tagged[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones[Redshift.17] Redshift cluster parameter groups should be tagged +[Redshift.1] Amazon Redshift clusters should prohibit public access[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled[Redshift.4] Amazon Redshift clusters should have audit logging enabled[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled[Redshift.7] Redshift clusters should use enhanced VPC routing[Redshift.8] Amazon Redshift clusters should not use the default Admin username[Redshift.9] Redshift clusters should not use the default database name[Redshift.10] Redshift clusters should be encrypted at rest[Redshift.11] Redshift clusters should be tagged[Redshift.12] Redshift event notification subscriptions should be tagged[Redshift.13] Redshift cluster snapshots should be tagged[Redshift.14] Redshift cluster subnet groups should be tagged[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones[Redshift.17] Redshift cluster parameter groups should be tagged[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled @@ -21 +21 @@ These AWS Security Hub controls evaluate the Amazon Redshift service and resourc -**AWS Config rule:** [`redshift-cluster-public-access-check`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-public-access-check.html) +**AWS Config rule:** [redshift-cluster-public-access-check](https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-public-access-check.html) @@ -47 +47 @@ To update an Amazon Redshift cluster to disable public access, see [Modifying a -**AWS Config rule:** [`redshift-require-tls-ssl`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-require-tls-ssl.html) +**AWS Config rule:** [redshift-require-tls-ssl](https://docs.aws.amazon.com/config/latest/developerguide/redshift-require-tls-ssl.html) @@ -71 +71 @@ To update an Amazon Redshift parameter group to require encryption, see [Modifyi -**AWS Config rule:** [`redshift-backup-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-backup-enabled.html) +**AWS Config rule:** [redshift-backup-enabled](https://docs.aws.amazon.com/config/latest/developerguide/redshift-backup-enabled.html) @@ -128 +128 @@ To configure audit logging for an Amazon Redshift cluster, see [Configuring audi -**AWS Config rule:** [`redshift-cluster-maintenancesettings-check`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-maintenancesettings-check.html) +**AWS Config rule:** [redshift-cluster-maintenancesettings-check](https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-maintenancesettings-check.html) @@ -160 +160 @@ To remediate this issue from the AWS CLI, use the Amazon Redshift `modify-cluste -**AWS Config rule:** [`redshift-enhanced-vpc-routing-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-enhanced-vpc-routing-enabled.html) +**AWS Config rule:** [redshift-enhanced-vpc-routing-enabled](https://docs.aws.amazon.com/config/latest/developerguide/redshift-enhanced-vpc-routing-enabled.html) @@ -184 +184 @@ For detailed remediation instructions, see [Enabling enhanced VPC routing](https -**AWS Config rule:** [`redshift-default-admin-check`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-default-admin-check.html) +**AWS Config rule:** [redshift-default-admin-check](https://docs.aws.amazon.com/config/latest/developerguide/redshift-default-admin-check.html) @@ -208 +208 @@ You can't change the admin username for your Amazon Redshift cluster after creat -**AWS Config rule:** [`redshift-default-db-name-check`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-default-db-name-check.html) +**AWS Config rule:** [redshift-default-db-name-check](https://docs.aws.amazon.com/config/latest/developerguide/redshift-default-db-name-check.html) @@ -232 +232 @@ You can't change the database name for your Amazon Redshift cluster after it is -**AWS Config rule:** [`redshift-cluster-kms-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-kms-enabled.html) +**AWS Config rule:** [redshift-cluster-kms-enabled](https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-kms-enabled.html) @@ -376 +376 @@ To add tags to a Redshift cluster subnet group, see [Tagging resources in Amazon -**AWS Config rule:** [`redshift-unrestricted-port-access`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-unrestricted-port-access.html) +**AWS Config rule:** [redshift-unrestricted-port-access](https://docs.aws.amazon.com/config/latest/developerguide/redshift-unrestricted-port-access.html) @@ -441,0 +442,22 @@ For information about adding tags to an Amazon Redshift cluster parameter group, +## [Redshift.18] Redshift clusters should have Multi-AZ deployments enabled + +**Category:** Recover > Resilience > High availability + +**Severity:** Medium + +**Resource type:** `AWS::Redshift::Cluster` + +**AWS Config rule:** [redshift-cluster-multi-az-enabled](https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-multi-az-enabled.html) + +**Schedule type:** Change triggered + +**Parameters:** None + +This control checks whether multiple Availability Zones (Multi-AZ) deployments are enabled for an Amazon Redshift cluster. The control fails if Multi-AZ deployments aren't enabled for the Amazon Redshift cluster. + +Amazon Redshift supports multiple Availability Zones (Multi-AZ) deployments for provisioned clusters. If Multi-AZ deployments are enabled for a cluster, an Amazon Redshift data warehouse can continue operating in failure scenarios when an unexpected event happens in an Availability Zone (AZ). A Multi-AZ deployment deploys compute resources in more than one AZ and these compute resources can be accessed through a single endpoint. In the event of an entire AZ failure, the remaining compute resources in another AZ are available to continue processing workloads. You can convert an existing Single-AZ data warehouse to a Multi-AZ data warehouse. Additional compute resources are then provisioned in a second AZ. + +### Remediation + +For information about configuring Multi-AZ deployments for an Amazon Redshift cluster, see [Converting a Single-AZ data warehouse to a Multi-AZ data warehouse](https://docs.aws.amazon.com/redshift/latest/mgmt/convert-saz-to-maz.html) in the _Amazon Redshift Management Guide_. +