Cloud security refers to a set of policies, technologies or controls required to protect data, applications and associated infrastructure. Organizations want their deployed resources and workload to be safe from any potential security threat. This is because they are highly dependent on their cloud infrastructure and deploy their maximum workload on it. Talking of security, AWS Redshift clusters are one of the cloud resources where you should follow certain best practices related to the CMKs in Amazon Key Management Service (KMS).
A wide range of services and resources are used daily to support their day-to-day operations. Hence, maintaining cloud security and health become key areas that require maximum focus.
Why you should use KMS CMKs for AWS Redshift clusters?
As discussed earlier, Amazon Redshift is a data warehouse service used for handling large-scale datasets.
AWS allows you to protect your Redshift clusters using CMKs in Amazon KMS (Key Management Service). Key Management Service is an encryption service that enables the user to easily encrypt their data. KMS provides a key storage management solution so that data can be encrypted across AWS services and resources within a single AWS account.
Furthermore, it allows users to create their own keys or CMKs (Customer Master Keys) to have further control over the management of their AWS resources. KMS assigns these keys to be used in supported services of AWS when creating encrypted resources. Users can use these keys directly within existing applications. KMS CMKs also gives the provision of usage policies to configure which user can use which key to encrypt or decrypt data. It is highly recommended that you should use KMS CMKs for your Redshift clusters to perform necessary encryption and decryption operations to ensure cluster security.
Centilytics helps you ensure that your security posture is in place
Centilytics provides an insight that gives warnings or alerts to the user whenever a Redshift cluster with disabled CMKs is detected.
There can be 2 possible scenarios:
|OK||This indication will be displayed when your AWS Redshift clusters are using KMS CMKs (Customer Master Keys).|
|Warning||This indication will be displayed when your Redshift clusters are not using KMS CMKs (Customer Master Keys).|
Description of further columns are as follows:
- Account Id: This column Shows the respective account ID of the user’s account.
- Account Name: This column shows the account name corresponding to the user’s account.
- Region: This column shows the region in which the respective Redshift cluster exists.
- Identifier: This column shows the name of your Redshift cluster.
- Snapshot enabled: This column shows the status of whether snapshots are enabled for your Redshift clusters or not.
- Retention days: This column shows the retention days i.e. the no. of days for which the backup of your Redshift cluster will be taken.
- Snapshot identifier: This column shows the ARN of your Redshift cluster snapshot.
|Account Id||Applying the account Id filter will display data for the selected account Id.|
|Region||Applying the region filter will display data according to the selected region.|
|Severity||Applying severity filter will display data according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for warning and ok severity types|
|Resource Tags||Applying resource tags filter will display those resources which have been assigned the selected resource tag. For e.g.- If the user has tagged some resource by a tag named environment, then selecting an environment from the resource tags filter will display all the data accordingly.|
|Resource Tags Value||Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production). Hence, the user can view data of all the resources which are tagged as “environment:production”. The user can use the tag value filter only when a tag name has been provided.|