Table: aws_redshift_clusters

This table shows data for Redshift Clusters.

https://docs.aws.amazon.com/redshift/latest/APIReference/API_Cluster.html (opens in a new tab)

The primary key for this table is arn.

Relations

The following tables depend on aws_redshift_clusters:

Columns

NameType
_cq_iduuid
_cq_parent_iduuid
account_idutf8
regionutf8
arn (PK)utf8
logging_statusjson
tagsjson
allow_version_upgradebool
aqua_configurationjson
automated_snapshot_retention_periodint64
availability_zoneutf8
availability_zone_relocation_statusutf8
cluster_availability_statusutf8
cluster_create_timetimestamp[us, tz=UTC]
cluster_identifierutf8
cluster_namespace_arnutf8
cluster_nodesjson
cluster_public_keyutf8
cluster_revision_numberutf8
cluster_security_groupsjson
cluster_snapshot_copy_statusjson
cluster_statusutf8
cluster_subnet_group_nameutf8
cluster_versionutf8
custom_domain_certificate_arnutf8
custom_domain_certificate_expiry_datetimestamp[us, tz=UTC]
custom_domain_nameutf8
db_nameutf8
data_transfer_progressjson
default_iam_role_arnutf8
deferred_maintenance_windowsjson
elastic_ip_statusjson
elastic_resize_number_of_node_optionsutf8
encryptedbool
endpointjson
enhanced_vpc_routingbool
expected_next_snapshot_schedule_timetimestamp[us, tz=UTC]
expected_next_snapshot_schedule_time_statusutf8
hsm_statusjson
iam_rolesjson
kms_key_idutf8
maintenance_track_nameutf8
manual_snapshot_retention_periodint64
master_usernameutf8
modify_statusutf8
next_maintenance_window_start_timetimestamp[us, tz=UTC]
node_typeutf8
number_of_nodesint64
pending_actionslist<item: utf8, nullable>
pending_modified_valuesjson
preferred_maintenance_windowutf8
publicly_accessiblebool
reserved_node_exchange_statusjson
resize_infojson
restore_statusjson
snapshot_schedule_identifierutf8
snapshot_schedule_stateutf8
total_storage_capacity_in_mega_bytesint64
vpc_idutf8
vpc_security_groupsjson

Example Queries

These SQL queries are sampled from CloudQuery policies and are compatible with PostgreSQL.

Amazon Redshift clusters should prohibit public access

SELECT
  'Amazon Redshift clusters should prohibit public access' AS title,
  account_id,
  arn AS resource_id,
  CASE WHEN publicly_accessible IS true THEN 'fail' ELSE 'pass' END AS status
FROM
  aws_redshift_clusters;

Connections to Amazon Redshift clusters should be encrypted in transit

SELECT
  'Connections to Amazon Redshift clusters should be encrypted in transit'
    AS title,
  account_id,
  arn AS resource_id,
  'fail' AS status
FROM
  aws_redshift_clusters AS rsc
WHERE
  EXISTS(
    SELECT
      1
    FROM
      aws_redshift_cluster_parameter_groups AS rscpg
      INNER JOIN aws_redshift_cluster_parameters AS rscp ON
          rscpg.cluster_arn = rscp.cluster_arn
    WHERE
      rsc.arn = rscpg.cluster_arn
      AND (
          rscp.parameter_name = 'require_ssl'
          AND rscp.parameter_value = 'false'
        )
      OR (rscp.parameter_name = 'require_ssl' AND rscp.parameter_value IS NULL)
      OR NOT
          EXISTS(
            (
              SELECT
                1
              FROM
                aws_redshift_cluster_parameters
              WHERE
                cluster_arn = rscpg.cluster_arn
                AND parameter_name = 'require_ssl'
            )
          )
  );

Amazon Redshift clusters should have audit logging enabled

SELECT
  'Amazon Redshift clusters should have audit logging enabled' AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN jsonb_typeof(logging_status->'LoggingEnabled') IS NULL
  OR (
      jsonb_typeof(logging_status->'LoggingEnabled') IS NOT NULL
      AND (logging_status->>'LoggingEnabled')::BOOL IS false
    )
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_redshift_clusters;

Amazon Redshift clusters should have automatic snapshots enabled

SELECT
  'Amazon Redshift clusters should have automatic snapshots enabled' AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN automated_snapshot_retention_period < 7
  OR automated_snapshot_retention_period IS NULL
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_redshift_clusters;

Amazon Redshift should have automatic upgrades to major versions enabled

SELECT
  'Amazon Redshift should have automatic upgrades to major versions enabled'
    AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN allow_version_upgrade IS false OR allow_version_upgrade IS NULL
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_redshift_clusters;

Amazon Redshift clusters should use enhanced VPC routing

SELECT
  'Amazon Redshift clusters should use enhanced VPC routing' AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN enhanced_vpc_routing IS false OR enhanced_vpc_routing IS NULL THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_redshift_clusters;