Redshift cluster encryption in transit should be enabled
Redshift clusters often hold analytical datasets derived from production systems, including PII, financial records, and health data. Without enforced TLS, SQL client connections (BI tools, ETL pipelines, ad-hoc queries from developer laptops) can transmit credentials and query results without transport encryption if clients are misconfigured. An attacker with network access or a misconfigured VPC peering connection could capture this traffic.
Do not assume a universal default value for require_ssl across all parameter groups and engine families. Verify the effective value in the cluster's attached parameter group. If require_ssl is not set to true, clients that do not explicitly enforce SSL may connect without TLS.
Retrofit consideration
Changing require_ssl to true on an existing parameter group takes effect immediately and will disconnect any active sessions not using SSL. Verify all client connection strings include sslmode=require or equivalent before applying.
Implementation
Choose the approach that matches how you manage Terraform.
Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.
module "redshift" {
source = "soc2.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "pcidss.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "hipaa.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "gdpr.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "nist80053.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "nistcsf.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "fedrampmoderate.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "nist800171.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "cisacyberessentials.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "nydfs23.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "ffiec.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "cfrpart11.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "rbicybersecurity.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "rbiitfnbfc.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "fedramplow.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "hipaasecurity2003.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "nistcsfv11.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "nist80053rev4.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
module "redshift" {
source = "pcidssv321.compliance.tf/terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
}
If you use terraform-aws-modules/redshift/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.
module "redshift" {
source = "terraform-aws-modules/redshift/aws"
version = ">=7.0.0,<8.0.0"
automated_snapshot_retention_period = 7
cluster_identifier = "abc123"
create_cloudwatch_log_group = true
database_name = "mydb"
logging = {
log_destination_type = "cloudwatch"
log_exports = ["connectionlog", "userlog", "useractivitylog"]
}
master_password_wo = "change-me-in-production"
master_username = "admin"
node_type = "ra3.xlplus"
number_of_nodes = 2
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
vpc_id = "vpc-12345678"
vpc_security_group_ids = ["sg-12345678"]
encrypted = true
}
Use AWS provider resources directly. See docs for the resources involved: aws_redshift_cluster.
resource "aws_redshift_cluster" "this" {
automated_snapshot_retention_period = 7
cluster_identifier = "pofix-abc123"
cluster_subnet_group_name = "example-redshift-subnet-group"
master_password = "ChangeMe123!"
master_username = "admin"
node_type = "ra3.large"
skip_final_snapshot = true
encrypted = true
}
What this control checks
This control validates that the Redshift cluster references a parameter group with require_ssl set to true. In Terraform, define an aws_redshift_parameter_group resource with a parameter block setting name = "require_ssl" and value = "true". The aws_redshift_cluster resource must reference this group via cluster_parameter_group_name. A cluster fails when its effective parameter group does not set require_ssl to true, including cases where a custom parameter group omits the parameter entirely or sets it to "false".
Common pitfalls
Default parameter group cannot be modified
The built-in
default.redshift-1.0parameter group cannot have its parameters changed. Ifaws_redshift_clusteromitscluster_parameter_group_nameor points at the default group, this control fails. Create a customaws_redshift_parameter_groupand assign it explicitly.Parameter value must be a string
In the
aws_redshift_parameter_groupresource, thevalueargument in theparameterblock must be the string"true", not a Terraform boolean. Settingvalue = true(unquoted) can cause unexpected behavior or type errors depending on the provider version.Client-side SSL not guaranteed by this control
This control doesn't protect against certificate spoofing on the client side.
require_ssl = trueforces the server to reject non-SSL connections, but clients usingsslmode=requirestill skip certificate verification. For full protection against MITM attacks, clients should usesslmode=verify-fullwith the Redshift CA bundle. That's outside the scope of this server-side setting.Reboot not required but sessions drop
Log delivery silently fails if clients weren't using SSL when you apply this change. Unlike some RDS parameter changes,
require_sslin Redshift takes effect dynamically without a cluster reboot, but existing non-SSL sessions are terminated on the next query attempt. Running ETL jobs that weren't connecting with SSL will break without warning.
Audit evidence
An auditor expects Config rule evaluation results (such as redshift-require-tls-ssl) showing all Redshift clusters as compliant. Console evidence from the Redshift cluster details page showing the associated parameter group, with the parameter group configuration displaying require_ssl = true, confirms it directly. Scan outputs from Steampipe or Prowler, and Security Hub findings for this check across all regions, strengthen the evidence package.
For additional assurance, CloudTrail logs for ModifyClusterParameterGroup API calls show when the parameter was changed and by whom, establishing an audit trail for the enforcement action.
Framework-specific interpretation
SOC 2: CC6.1 covers logical access and encryption controls, and TLS enforcement on data in transit is part of what auditors test under the Confidentiality category. A server-side require_ssl setting is the kind of concrete, testable control that holds up during design-effectiveness reviews.
PCI DSS v4.0: Requirement 4.2.1 mandates strong cryptography for cardholder data over open or public networks. Starting March 2025, Requirement 4.2.1.1 extends that to all networks. If card data flows through Redshift analytical workloads, require_ssl covers the encryption requirement at the cluster level.
HIPAA Omnibus Rule 2013: Satisfies the transmission security standard at 45 CFR 164.312(e)(1) by ensuring ePHI queried from or loaded into Redshift is encrypted in transit. Because the server rejects unencrypted connections outright, protection doesn't depend on client configuration.
GDPR: Article 32 calls for appropriate technical measures to secure processing, encryption of data in transit included. For analytics workloads touching personal data, enforcing TLS on Redshift connections is a concrete implementation of the controller's obligation to prevent unauthorized disclosure.
NIST SP 800-53 Rev 5: SC-8 and SC-8(1) together expect cryptographic protections on data channels, not just physical controls. require_ssl addresses both: it enforces encryption at the Redshift endpoint and reduces reliance on network-layer mitigations for transmission security.
NIST Cybersecurity Framework v2.0: PR.DS covers protection of data in transit. Redshift SQL connections carry query results and credentials, so require_ssl is the direct control for maintaining confidentiality and integrity between analytics clients and the cluster.
FedRAMP Moderate Baseline Rev 4: SC-8 (Transmission Confidentiality and Integrity) and SC-23 (Session Authenticity) both apply to Redshift SQL connections carrying federal data. The require_ssl parameter is how you meet the FedRAMP Moderate baseline expectation for encrypted system interconnections.
Related controls
Tool mappings
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf Control:
redshift_cluster_encryption_in_transit_enabledAWS Config Managed Rules:
REDSHIFT_REQUIRE_TLS_SSL,REDSHIFT_SERVERLESS_WORKGROUP_ENCRYPTED_IN_TRANSITCheckov Check:
CKV_AWS_105Powerpipe Control:
aws_compliance.control.redshift_cluster_encryption_in_transit_enabledProwler Check:
redshift_cluster_in_transit_encryption_enabledAWS Security Hub Control:
Redshift.2
Last reviewed: 2026-03-09