AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-07-16 · Documentation medium

File: securityhub/latest/userguide/redshift-controls.md

Summary

Added new control [Redshift.18] requiring Multi-AZ deployments for Redshift clusters and removed backticks from AWS Config rule links

Security assessment

The new Redshift.18 control promotes high availability through Multi-AZ deployments, which improves fault tolerance but does not directly address a security vulnerability. Formatting changes to Config rule links are non-functional. Multi-AZ enhances resilience (security best practice) but isn't a response to a specific security flaw.

Diff

diff --git a/securityhub/latest/userguide/redshift-controls.md b/securityhub/latest/userguide/redshift-controls.md
index 15e3aa83a..76597659f 100644
--- a//securityhub/latest/userguide/redshift-controls.md
+++ b//securityhub/latest/userguide/redshift-controls.md
@@ -5 +5 @@
-[Redshift.1] Amazon Redshift clusters should prohibit public access[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled[Redshift.4] Amazon Redshift clusters should have audit logging enabled[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled[Redshift.7] Redshift clusters should use enhanced VPC routing[Redshift.8] Amazon Redshift clusters should not use the default Admin username[Redshift.9] Redshift clusters should not use the default database name[Redshift.10] Redshift clusters should be encrypted at rest[Redshift.11] Redshift clusters should be tagged[Redshift.12] Redshift event notification subscriptions should be tagged[Redshift.13] Redshift cluster snapshots should be tagged[Redshift.14] Redshift cluster subnet groups should be tagged[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones[Redshift.17] Redshift cluster parameter groups should be tagged
+[Redshift.1] Amazon Redshift clusters should prohibit public access[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled[Redshift.4] Amazon Redshift clusters should have audit logging enabled[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled[Redshift.7] Redshift clusters should use enhanced VPC routing[Redshift.8] Amazon Redshift clusters should not use the default Admin username[Redshift.9] Redshift clusters should not use the default database name[Redshift.10] Redshift clusters should be encrypted at rest[Redshift.11] Redshift clusters should be tagged[Redshift.12] Redshift event notification subscriptions should be tagged[Redshift.13] Redshift cluster snapshots should be tagged[Redshift.14] Redshift cluster subnet groups should be tagged[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones[Redshift.17] Redshift cluster parameter groups should be tagged[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled
@@ -21 +21 @@ These AWS Security Hub controls evaluate the Amazon Redshift service and resourc
-**AWS Config rule:** [`redshift-cluster-public-access-check`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-public-access-check.html)
+**AWS Config rule:** [redshift-cluster-public-access-check](https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-public-access-check.html)
@@ -47 +47 @@ To update an Amazon Redshift cluster to disable public access, see [Modifying a
-**AWS Config rule:** [`redshift-require-tls-ssl`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-require-tls-ssl.html)
+**AWS Config rule:** [redshift-require-tls-ssl](https://docs.aws.amazon.com/config/latest/developerguide/redshift-require-tls-ssl.html)
@@ -71 +71 @@ To update an Amazon Redshift parameter group to require encryption, see [Modifyi
-**AWS Config rule:** [`redshift-backup-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-backup-enabled.html)
+**AWS Config rule:** [redshift-backup-enabled](https://docs.aws.amazon.com/config/latest/developerguide/redshift-backup-enabled.html)
@@ -128 +128 @@ To configure audit logging for an Amazon Redshift cluster, see [Configuring audi
-**AWS Config rule:** [`redshift-cluster-maintenancesettings-check`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-maintenancesettings-check.html)
+**AWS Config rule:** [redshift-cluster-maintenancesettings-check](https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-maintenancesettings-check.html)
@@ -160 +160 @@ To remediate this issue from the AWS CLI, use the Amazon Redshift `modify-cluste
-**AWS Config rule:** [`redshift-enhanced-vpc-routing-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-enhanced-vpc-routing-enabled.html)
+**AWS Config rule:** [redshift-enhanced-vpc-routing-enabled](https://docs.aws.amazon.com/config/latest/developerguide/redshift-enhanced-vpc-routing-enabled.html)
@@ -184 +184 @@ For detailed remediation instructions, see [Enabling enhanced VPC routing](https
-**AWS Config rule:** [`redshift-default-admin-check`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-default-admin-check.html)
+**AWS Config rule:** [redshift-default-admin-check](https://docs.aws.amazon.com/config/latest/developerguide/redshift-default-admin-check.html)
@@ -208 +208 @@ You can't change the admin username for your Amazon Redshift cluster after creat
-**AWS Config rule:** [`redshift-default-db-name-check`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-default-db-name-check.html)
+**AWS Config rule:** [redshift-default-db-name-check](https://docs.aws.amazon.com/config/latest/developerguide/redshift-default-db-name-check.html)
@@ -232 +232 @@ You can't change the database name for your Amazon Redshift cluster after it is
-**AWS Config rule:** [`redshift-cluster-kms-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-kms-enabled.html)
+**AWS Config rule:** [redshift-cluster-kms-enabled](https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-kms-enabled.html)
@@ -376 +376 @@ To add tags to a Redshift cluster subnet group, see [Tagging resources in Amazon
-**AWS Config rule:** [`redshift-unrestricted-port-access`](https://docs.aws.amazon.com/config/latest/developerguide/redshift-unrestricted-port-access.html)
+**AWS Config rule:** [redshift-unrestricted-port-access](https://docs.aws.amazon.com/config/latest/developerguide/redshift-unrestricted-port-access.html)
@@ -441,0 +442,22 @@ For information about adding tags to an Amazon Redshift cluster parameter group,
+## [Redshift.18] Redshift clusters should have Multi-AZ deployments enabled
+
+**Category:** Recover > Resilience > High availability
+
+**Severity:** Medium
+
+**Resource type:** `AWS::Redshift::Cluster`
+
+**AWS Config rule:** [redshift-cluster-multi-az-enabled](https://docs.aws.amazon.com/config/latest/developerguide/redshift-cluster-multi-az-enabled.html)
+
+**Schedule type:** Change triggered
+
+**Parameters:** None
+
+This control checks whether multiple Availability Zones (Multi-AZ) deployments are enabled for an Amazon Redshift cluster. The control fails if Multi-AZ deployments aren't enabled for the Amazon Redshift cluster.
+
+Amazon Redshift supports multiple Availability Zones (Multi-AZ) deployments for provisioned clusters. If Multi-AZ deployments are enabled for a cluster, an Amazon Redshift data warehouse can continue operating in failure scenarios when an unexpected event happens in an Availability Zone (AZ). A Multi-AZ deployment deploys compute resources in more than one AZ and these compute resources can be accessed through a single endpoint. In the event of an entire AZ failure, the remaining compute resources in another AZ are available to continue processing workloads. You can convert an existing Single-AZ data warehouse to a Multi-AZ data warehouse. Additional compute resources are then provisioned in a second AZ.
+
+### Remediation
+
+For information about configuring Multi-AZ deployments for an Amazon Redshift cluster, see [Converting a Single-AZ data warehouse to a Multi-AZ data warehouse](https://docs.aws.amazon.com/redshift/latest/mgmt/convert-saz-to-maz.html) in the _Amazon Redshift Management Guide_.
+