Question 1

Is allow_version_upgrade enforced for FFIEC Cybersecurity Assessment Tool?

Accepted Answer

Yes, Ensure whether AWS Redshift clusters have the specified maintenance settings. Redshift clusters `allowVersionUpgrade` should be set to `true` and `automatedSnapshotRetentionPeriod` should be greater than 7.

Question 2

Is automated_snapshot_retention_period enforced for FFIEC Cybersecurity Assessment Tool?

Accepted Answer

Yes, This control checks whether AWS Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven.

Question 3

Is cloudwatch_log_group_retention_in_days enforced for FFIEC Cybersecurity Assessment Tool?

Accepted Answer

Yes, Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations.

Question 4

Is encrypted enforced for FFIEC Cybersecurity Assessment Tool?

Accepted Answer

Yes, Ensure that your AWS Redshift clusters require TLS/SSL encryption to connect to SQL clients.

Question 5

Is enhanced_vpc_routing enforced for FFIEC Cybersecurity Assessment Tool?

Accepted Answer

Yes, Ensure that AWS Redshift cluster has 'enhancedVpcRouting' enabled. The rule is non-compliant if 'enhancedVpcRouting' is not enabled or if the configuration.enhancedVpcRouting field is 'false'.

Question 6

Is kms_key_arn enforced for FFIEC Cybersecurity Assessment Tool?

Accepted Answer

Yes, Ensure that AWS Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption. The rule is compliant if encryption is enabled and the cluster is encrypted with the key provided in the kmsKeyArn parameter. The rule is non-compliant if the cluster is not encrypted or encrypted with another key.

Question 7

Is publicly_accessible enforced for FFIEC Cybersecurity Assessment Tool?

Accepted Answer

Yes, Manage access to resources in the AWS Cloud by ensuring that AWS Redshift clusters are not public.

AWS Redshift Terraform module

Terraform Module Source