Redshift.3: Redshift clusters should have automatic snapshots

What does AWS Security Hub Redshift.3 check?

Redshift.3 evaluates a cluster's automated snapshot configuration and fails if automated snapshots are disabled or the retention period is set below seven days. Redshift takes these point-in-time backups by default, but the behaviour can be turned off or shortened.

Why does Redshift.3 matter?

Losing the recovery point is silent until you need it. A bad ETL load, an accidental TRUNCATE, or a corrupted ingest can wipe data with no backup behind it, and a one- or two-day retention window may already be gone by the time a Friday problem is noticed on Monday. Backups also map to NIST 800-53 contingency controls CP-6, CP-9 and CP-10.

How do I fix Redshift.3?

1. Enable automated snapshots and set the retention period to at least seven days with modify-cluster.
2. Confirm the snapshot maintenance window suits the cluster's quiet hours.
3. For longer retention, configure a snapshot schedule or cross-region copy.
4. Set these defaults in your provisioning templates so new clusters inherit them.

# Set a 7-day backup floor on production databases below it (skip read replicas).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?ReadReplicaSourceDBInstanceIdentifier==`null` && BackupRetentionPeriod<`7`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --backup-retention-period 7 --no-apply-immediately
done

# Turn on DynamoDB point-in-time recovery (instant, no downtime).
aws dynamodb update-continuous-backups --table-name prod-orders \
  --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

# Stop any snapshot in the account from being shared publicly, ever.
aws ec2 enable-snapshot-block-public-access --state block-all-sharing