Question 1

Is allow_version_upgrade enforced for PCI DSS v4.0?

Accepted Answer

Yes, Ensure whether AWS Redshift clusters have the specified maintenance settings. Redshift clusters `allowVersionUpgrade` should be set to `true` and `automatedSnapshotRetentionPeriod` should be greater than 7.

Question 2

Is automated_snapshot_retention_period enforced for PCI DSS v4.0?

Accepted Answer

Yes, This control checks whether AWS Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven.

Question 3

Is cloudwatch_log_group_kms_key_id enforced for PCI DSS v4.0?

Accepted Answer

Yes, To help protect sensitive data at rest, ensure encryption is enabled for your AWS CloudWatch Log Group.

Question 4

Is cloudwatch_log_group_retention_in_days enforced for PCI DSS v4.0?

Accepted Answer

Yes, Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations.

Question 5

Is cluster_identifier enforced for PCI DSS v4.0?

Accepted Answer

Yes, This control ensures if redshift clusters are logging audits to a specific bucket. The rule is no compliant if audit logging is not enabled for a redshift cluster or if the 'bucketNames' parameter is provided but the audit logging destination does not match.

Question 6

Is encrypted enforced for PCI DSS v4.0?

Accepted Answer

Yes, Ensure that your AWS Redshift clusters require TLS/SSL encryption to connect to SQL clients.

Question 7

Is enhanced_vpc_routing enforced for PCI DSS v4.0?

Accepted Answer

Yes, Ensure that AWS Redshift cluster has 'enhancedVpcRouting' enabled. The rule is non-compliant if 'enhancedVpcRouting' is not enabled or if the configuration.enhancedVpcRouting field is 'false'.

Question 8

Is kms_key_arn enforced for PCI DSS v4.0?

Accepted Answer

Yes, Ensure that AWS Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption. The rule is compliant if encryption is enabled and the cluster is encrypted with the key provided in the kmsKeyArn parameter. The rule is non-compliant if the cluster is not encrypted or encrypted with another key.

Question 9

Is publicly_accessible enforced for PCI DSS v4.0?

Accepted Answer

Yes, Manage access to resources in the AWS Cloud by ensuring that AWS Redshift clusters are not public.

AWS Redshift Terraform module

Terraform Module Source