Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Redshift

Redshift.10: Redshift clusters should be encrypted at rest

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Redshift.10 check?

Redshift.10 checks whether a cluster has encryption at rest enabled and fails any cluster that stores its data unencrypted. Redshift integrates with AWS KMS, where a KMS key protects the cluster's data encryption keys.

Why does Redshift.10 matter?

An unencrypted cluster keeps its data blocks and system metadata in plaintext on disk, readable by anyone who reaches the underlying storage. The exposure follows the snapshots too: backups inherit the source cluster's encryption state, so an unencrypted cluster produces unencrypted snapshots that can be copied or shared. Encryption at rest is an explicit requirement under PCI DSS, HIPAA, SOC 2, and NIST regimes.

How do I fix Redshift.10?

  1. Enable encryption with a KMS key by modifying the cluster (Redshift performs a background migration).
  2. Schedule the change for a quiet window, as the migration is throttled and can take time on large clusters.
  3. Confirm snapshots are now encrypted and re-encrypt or delete any existing unencrypted copies.
  4. Set encryption on by default in your cluster templates.

Remediation script · bash

# 1. Find unencrypted databases across engines (sample: RDS, Redshift, OpenSearch).
aws rds describe-db-instances \
  --query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier' --output text
aws redshift describe-clusters \
  --query 'Clusters[?Encrypted==`false`].ClusterIdentifier' --output text

# 2. Immutable engine (RDS): snapshot, copy WITH a KMS key, restore the new instance.
SRC=prod-orders-db; KEY=alias/db-encryption
aws rds create-db-snapshot --db-instance-identifier $SRC --db-snapshot-identifier ${SRC}-snap
aws rds wait db-snapshot-completed --db-snapshot-identifier ${SRC}-snap
aws rds copy-db-snapshot \
  --source-db-snapshot-identifier ${SRC}-snap \
  --target-db-snapshot-identifier ${SRC}-snap-enc \
  --kms-key-id $KEY
aws rds wait db-snapshot-completed --db-snapshot-identifier ${SRC}-snap-enc
aws rds restore-db-instance-from-db-snapshot \
  --db-instance-identifier ${SRC}-enc --db-snapshot-identifier ${SRC}-snap-enc

# 3. In-place engine (Redshift): background migration, run in a maintenance window.
aws redshift modify-cluster --cluster-identifier analytics-prod \
  --encrypted --kms-key-id $KEY

# 4. Prevent recurrence: enforce encryption by default for new EBS-backed engines.
aws ec2 enable-ebs-encryption-by-default

Full walkthrough (console steps, edge cases and verification) in the lesson Encrypt AWS databases at rest.

Is Redshift.10 a false positive?

Encrypting an existing cluster is a migration, not an instant toggle — the cluster stays in a resizing/migrating state during the rewrite, so plan a window rather than expecting an immediate clear.

Full lesson Encrypt AWS databases at rest Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Redshift controls ↗ Check your own account for Redshift.10 →
Part of the learning path Encrypt everything

More Redshift controls

  • Redshift.1 A Redshift cluster is publicly accessible
  • Redshift.2 Connections to Redshift should be encrypted in transit
  • Redshift.3 Redshift clusters should have automatic snapshots
  • Redshift.4 Redshift clusters should have audit logging
  • Redshift.6 Redshift should auto-upgrade major versions
  • Redshift.7 Redshift clusters should use enhanced VPC routing
  • Redshift.8 Redshift should not use the default admin username
  • Redshift.15 Redshift accepts cluster-port traffic from anywhere
  • Redshift.16 Redshift subnet groups should span multiple AZs
  • Redshift.18 Redshift clusters should have Multi-AZ enabled