Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Redshift

Redshift.2: Connections to Redshift should be encrypted in transit

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Redshift.2 check?

Redshift.2 checks whether the parameter group attached to a cluster has require_SSL set to true. With that set, the cluster refuses any connection that won't upgrade to TLS; the control fails when require_SSL is false, which is the default.

Why does Redshift.2 matter?

Redshift speaks the PostgreSQL wire protocol and will happily accept plaintext sessions unless told otherwise. Without enforced TLS, query results, credentials, and session data crossing the network are readable by anything that can observe the path. The control maps to PCI DSS v4.0.1 requirement 4.2.1 and NIST 800-53 SC-8/SC-13/SC-23.

How do I fix Redshift.2?

  1. Edit the cluster's parameter group and set require_SSL to true.
  2. Reboot the cluster during a maintenance window so the static parameter takes effect.
  3. Confirm clients are configured to negotiate TLS (sslmode=require or stronger) before enforcing.
  4. Bake require_SSL into the default parameter group used by new clusters.

Remediation script · bash

# Find the highest-impact plaintext-permitting stores across engines.
aws rds describe-db-instances \
  --query 'DBInstances[].DBInstanceIdentifier' --output text
aws elasticache describe-replication-groups \
  --query 'ReplicationGroups[?TransitEncryptionEnabled==`false`].ReplicationGroupId' \
  --output text

# RDS for PostgreSQL: require TLS via rds.force_ssl (static -> needs a reboot).
PG=$(aws rds describe-db-instances --db-instance-identifier prod-orders-pg \
  --query 'DBInstances[].DBParameterGroups[].DBParameterGroupName' --output text)
aws rds modify-db-parameter-group --db-parameter-group-name "$PG" \
  --parameters 'ParameterName=rds.force_ssl,ParameterValue=1,ApplyMethod=pending-reboot'
aws rds reboot-db-instance --db-instance-identifier prod-orders-pg

# Redshift: require_ssl on a custom cluster parameter group, then reboot.
aws redshift modify-cluster-parameter-group --parameter-group-name analytics-tls \
  --parameters ParameterName=require_ssl,ParameterValue=true
aws redshift reboot-cluster --cluster-identifier analytics-prod

Full walkthrough (console steps, edge cases and verification) in the lesson Enforce TLS on database and cache connections.

Is Redshift.2 a false positive?

require_SSL is a static parameter, so the finding stays FAILED until the cluster is rebooted — applying the parameter alone is not enough.

Full lesson Enforce TLS on database and cache connections Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Redshift controls ↗ Check your own account for Redshift.2 →
Part of the learning path Encrypt everything

More Redshift controls

  • Redshift.1 A Redshift cluster is publicly accessible
  • Redshift.3 Redshift clusters should have automatic snapshots
  • Redshift.4 Redshift clusters should have audit logging
  • Redshift.6 Redshift should auto-upgrade major versions
  • Redshift.7 Redshift clusters should use enhanced VPC routing
  • Redshift.8 Redshift should not use the default admin username
  • Redshift.10 Redshift clusters should be encrypted at rest
  • Redshift.15 Redshift accepts cluster-port traffic from anywhere
  • Redshift.16 Redshift subnet groups should span multiple AZs
  • Redshift.18 Redshift clusters should have Multi-AZ enabled