This pattern provides an Amazon Web Services (AWS) CloudFormation template that automatically notifies you when a new Amazon Redshift cluster is launched without Secure Sockets Layer (SSL) endpoints.
Amazon Redshift is a fully managed, petabyte-scale, cloud-based data warehouse service. It is designed for large-scale dataset storage and analysis. It is also used to perform large-scale database migrations. For security, Amazon Redshift supports SSL to encrypt the connection between the user's SQL Server client application and the Amazon Redshift cluster. To configure your cluster to require an SSL connection, you set the require_SSL parameter to true in the parameter group that is associated with the cluster during launch.
The security control provided with this pattern monitors Amazon Redshift API calls in AWS CloudTrail logs and initiates an Amazon CloudWatch Events event for the CreateCluster, ModifyCluster, RestoreFromClusterSnapshot, CreateClusterParameterGroup, and ModifyClusterParameterGroup APIs. When the event detects one of these APIs, it calls AWS Lambda, which runs a Python script. The Python function analyzes the CloudWatch event for the listed CloudTrail events. When an Amazon Redshift cluster is created, modified, or restored from an existing snapshot, a new parameter group is created for the cluster, or an existed parameter group is modified, the function checks the require_SSL parameter for the cluster. If the parameter value is false, the function sends an Amazon Simple Notification Service (Amazon SNS) notification to the user with the relevant information: the Amazon Redshift cluster name, AWS Region, AWS account, and Amazon Resource Name (ARN) for Lambda that this notification is sourced from.
