RedShift snapshot copy is not encrypted by KMS using a customer managed Key (CMK).
Description
This policy is checking to ensure that RedShift snapshot copies are encrypted using a Key Management Service (KMS), specifically through a Customer Managed Key (CMK). Non-encrypted or poorly encrypted RedShift snapshot data might expose sensitive information that can lead to data breaches or non-compliance with legal and regulatory mandates. Thus, it's crucial to enforce robust encryption using a Customer Managed Key (CMK) for enhanced security.
Code Example
go
resource "aws_redshift_snapshot_copy_grant" "pass" {
snapshot_copy_grant_name = "my-grant"
+ kms_key_id = aws_kms_key.test.arn
}Remediation
Terraform
- Resource: aws_redshift_snapshot_copy_grant
- Arguments: kms_key_id
To resolve this issue, you should add the 'KMS Key Id' argument (`kms_key_id`) to your `aws_redshift_snapshot_copy_grant` resources and point it to an existing KMS Key. This will ensure that your RedShift snapshot copies are encrypted with a KMS key that is managed by you. For instance:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0329 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_281 |