Skip to content

Terraform AWS Redshift

Redshift clusters or serverless workgroups with VPC networking, encryption, audit logging, snapshot settings, parameter groups, enhanced VPC routing, and controlled access.

13 controls enforced23 frameworks

Controls Enforced

The following compliance controls are enforced by this module at terraform plan time.

Quick Start

module "redshift" {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "acscism2023.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "awscontroltower.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "awsgenai.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "cccsmedium.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "cisv140.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "cisv500.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "cis.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "cisv80ig1.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "cisacyberessentials.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "eugmpannex11.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "fedramplow.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "ffiec.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "gdpr.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "nis2.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "nydfs23.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "rbicybersecurity.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "rbiitfnbfc.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

module "redshift" {
  source  = "soc2.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "<version>"

  # ... your arguments here
}

See the Get Started guide to get started and read the Features section for more details on how to customize the module for your requirements.

Migration from Upstream

Already using terraform-aws-modules? Change only the source URL:

module "redshift" {
  source  = "terraform-aws-modules/redshift/aws"
  version = "1.0"
}

module "redshift" {
  source  = "soc2.compliance.tf/terraform-aws-modules/redshift/aws"
  version = "1.0"
}

Same arguments. Same outputs. Compliance controls are enforced automatically at terraform plan. If a required value is missing, you get a clear validation error telling you what to set.

See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL to the upstream path:

module "redshift" {
  source  = "terraform-aws-modules/redshift/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

ACSC-EE-ML2-7.7: Multi-factor authentication ML2

ACSC-EE-ML3-6.8: Patch operating systems ML3

ACSC-EE-ML3-8.3: Regular backups ML3

ACSC-EE-ML3-8.8: Regular backups ML3

ISM-1271: Network environment

ISM-1277: Communications between database servers and web servers

ISM-1758: Database event logging

Detection

Identity and access management

Infrastructure protection

CP-10(2): Transaction Recovery

11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records

11.10(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period

11.10(d) Limiting system access to authorized individuals

11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records

11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

11.10(k) Use of appropriate controls over systems documentation that includes adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance

11.30 Controls for open systems

3.3 Configure Data Access Control Lists

8.2 Collect Audit Logs

11.4 Establish and Maintain an Isolated Instance of Recovery Data

Booting Up: Things to Do First-1

Booting Up: Things to Do First-3

Your Data-1

Your Data-2

Your Data-4

Your Systems-2

Your Systems-3

4.8 Validation - Data Transfer

5 Data

7.1 Data Storage - Damage Protection

7.2 Data Storage - Backups

16 Business Continuity

17 Archiving

Account Management (AC-2)

Account Management (AC-3)

Audit Events (AU-2)

Baseline Configuration (CM-2)

Boundary Protection (SC-7)

Continuous Monitoring (CA-7)

Denial Of Service Protection (SC-5)

Information System Backup (CP-9)

Information System Recovery And Reconstitution (CP-10)

Remote Access (AC-17)

Use of Cryptography (SC-13)

AC-2(4) Automated Audit Actions

AC-2(g)

AC-17(1) Automated Monitoring/Control

AC-21(b)

Access Enforcement (AC-3)

AU-2(a)(d)

AU-6(1)(3)

AU-12(a)(c)

Baseline Configuration (CM-2)

Boundary Protection (SC-7)

CA-7(a)(b)

Content of Audit Records (AU-3)

CP-9(b))

Information Flow Enforcement (AC-4)

Information Handling and Retention (SI-12)

Information In Shared Resources (SC-4)

Information System Recovery And Reconstitution (CP-10)

Least Privilege (AC-6)

Protection of Information at Rest (SC-28)

SC-7(3) Access Points

SI-4(2) Automated Tools For Real-Time Analysis

SI-4(4) Inbound and Outbound Communications Traffic

SI-4(5) System-Generated Alerts

SI-4(16) Correlate Monitoring Information

D1.RM.Rm.B.1

D2.MA.Ma.B.1

D2.MA.Ma.B.2

D3.CC.PM.B.1

D3.CC.PM.B.3

D3.DC.An.B.4

D3.DC.Ev.B.1

D3.PC.Am.B.12

D3.PC.Am.B.15

D3.PC.Im.B.1

D5.DR.De.B.3

Article 30 Records of processing activities

Article 32 Security of processing

164.308(a)(1)(ii)(B) Risk Management

164.308(a)(1)(ii)(D): Administrative Safeguards

164.308(a)(3)(i) Workforce security

164.308(a)(3)(ii)(A) Authorization and/or supervision

164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions

164.308(a)(7)(i) Contingency plan

164.308(a)(7)(ii)(A) Data backup plan

164.308(a)(7)(ii)(B) Disaster recovery plan

164.308(a)(7)(ii)(C) Emergency mode operation plan

164.312(a)(1) Access control

164.312(a)(2)(ii) Emergency access procedure

164.312(a)(2)(iv) Encryption and decryption

164.312(b) Audit controls

164.312(e)(1) Transmission security

164.312(e)(2)(ii) Encryption

164.314(b)(2)(iv): Organizational Requirements

A.8.1 User endpoint devices

A.8.12 Data leakage prevention

A.8.14 Redundancy of information processing facilities

A.8.15 Logging

A.8.20 Network security

A.8.21 Security of network services

A.8.22 Segregation of networks

A.8.24 Use of cryptography

3 Incident handling

6 Security in network and information systems acquisition, development and maintenance

9 Cryptography

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)

3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.

3.1.3 Control the flow of CUI in accordance with approved authorizations

3.1.14 Route remote access via managed access control points

3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities

3.13.1: Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems

3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

AC-2(4) Automated Audit Actions

AC-2(6) Dynamic Privilege Management

AC-3(1) Restricted Access To Privileged Functions

AC-3(7): Role-Based Access Control

AC-3(10) Audited Override Of Access Control Mechanisms

AC-4(21) Physical Or Logical Separation Of Infomation Flows

AC-4(26) Audit Filtering Actions

AC-6: Least Privilege

AC-6(9)

AC-17(1) Monitoring And Control

AC-17(4)(a)

AC-17(9) Disconnect Or Disable Access

AC-17(10) Authenticate Remote Commands

AC-17(b)

Access Enforcement (AC-3)

AU-2(b)

AU-3(a)

AU-3(b)

AU-3(c)

AU-3(d)

AU-3(e)

AU-3(f)

AU-6(3) Correlate Audit Record Repositories

AU-6(4) Central Review And Analysis

AU-6(6) Correletion With Physical Monitoring

AU-6(9) Correletion With From Nontechnical Sources

AU-8(b)

AU-9(3) Cryptographic Protection

AU-12(1) System-Wide And Time-Correlated Audit Trial

AU-12(2) Standardized Formats

AU-12(3) Changes By Authorized Individuals

AU-12(4) Query Parameter Audits Of Personally Identifiable Information

AU-12(a)

AU-12(c)

AU-14(3) Remote Viewing And Listening

AU-14(a)

AU-14(b)

CA-7(b)

CM-2(b)

CM-3(3) Automated Change Implementation

CM-5(1)(b)

Continuous Monitoring Strategy (PM-31)

CP-1(2)

CP-2(5) Continue Mission And Business Functions

CP-6(1) Separation From Primary Site

CP-6(2) Recovery Time And Recovery Point Objectives

CP-6(a)

CP-9(a)

CP-9(b)

CP-9(c)

CP-9(d)

CP-10(2): Transaction Recovery

IA-3(3)(b)

MA-4(1)(a)

Media Access (MP-2)

Non-Repudiation (AU-10)

PM-14(a)(1)

PM-14(b)

SC-5(2) Capacity, Bandwidth, And Redundancy

SC-7(2) Public Access

SC-7(3) Access Points

SC-7(7) Split Tunneling For Remote Devices

SC-7(9)(a)

SC-7(9)(b)

SC-7(11) Restrict Incoming communications Traffic

SC-7(12) Host-Based Protection

SC-7(16) Prevent Discovery Of System Components

SC-7(20) Prevent Discovery Of System Components

SC-7(21) Isolation Of System Components

SC-7(24)(b)

SC-7(25) Unclassified National Security System Connections

SC-7(26) Classified National Security System Connections

SC-7(27) Unclassified Non-National Security System Connections

SC-7(28): Connections To Public Networks

SC-7(a)

SC-7(b)

SC-7(c)

SC-8(3) Cryptographic Protection For Message Externals

SC-8(4) Conceal Or Ramdomize Communications

SC-13(a)

SC-28(1): Cryptographic Protection

SI-1(1)(c)

SI-2(2) Automated Flaw Remediation Status

SI-2(5): Automatic Software And Firmware Updates

SI-2(c)

SI-2(d)

SI-3(8)(b)

SI-4(2) Automated Tools For Real-Time Analysis

SI-4(17) Integrated Situational Awareness

SI-4(20) Privileged Users

SI-7(8) Auditing Capability For Significant Events

SI-10(1)(c)

SI-13(5) Failover Capability

SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers

System Recovery And Reconstitution (CP-10)

Thin Nodes (SC-25)

ID.AM-03

ID.BE-5

PR.AC-3

PR.DS-1

PR.DS-02

PR.DS-4

PR.IR-03

PR.IR-04

PR.PS-02

500.02(b)(5)

500.07 Access Privileges and Management

500.14(a)

500.15(a)

1.2.5: Network security controls (NSCs) are configured and maintained.

1.2.8: Network security controls (NSCs) are configured and maintained.

1.3.1: Network access to and from the cardholder data environment is restricted.

1.3.2: Network access to and from the cardholder data environment is restricted.

1.4.1: Network connections between trusted and untrusted networks are controlled.

1.4.2: Network connections between trusted and untrusted networks are controlled.

1.4.4: Network connections between trusted and untrusted networks are controlled.

1.4.4: System components that store cardholder data are not directly accessible from untrusted networks

1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks

1.5.1: Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

2.2.5: System components are configured and managed securely.

2.2.5: System components cannot be compromised by exploiting insecure services, protocols, or daemons

2.2.7: System components are configured and managed securely.

3.5.1: Primary account number (PAN) is secured wherever it is stored.

3.5.1.3: Primary account number (PAN) is secured wherever it is stored.

4.2.1: PAN is protected with strong cryptography during transmission.

4.2.1.1: An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained

4.2.1.1: PAN is protected with strong cryptography during transmission.

5.3.4: Anti-malware mechanisms and processes are active, maintained, and monitored.

6.3.3: All system components are protected from known vulnerabilities by installing applicable security patches/updates

6.3.3: Security vulnerabilities are identified and addressed.

8.3.2: Strong authentication for users and administrators is established and managed.

8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components

10.2.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.3: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.4: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.5: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.6: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.7: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.3.1: Audit logs are protected from destruction and unauthorized modifications.

10.3.2: Audit logs are protected from destruction and unauthorized modifications.

10.3.3: Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify

10.3.3: Audit logs are protected from destruction and unauthorized modifications.

10.6.3: Time-synchronization mechanisms support consistent time settings across all systems.

A1.1.2: Multi-tenant service providers protect and separate all customer environments and data.

A1.1.3: Multi-tenant service providers protect and separate all customer environments and data.

A1.2.1: Multi-tenant service providers facilitate logging and incident response for all customers.

A1.2.3: Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities

A3.4.1: Logical access to the cardholder data environment is controlled and managed.

Annex I (1.3)

Annex I (12)

Annex I (6)

Annex I (7.4)

3.1.a Identification and Classification of Information Assets

3.3 Vulnerability Management

8.I Basic Security Aspects

8.IX Backup and Recovery

A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives

CC6.6: The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives

CC7.2: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures

CC7.4 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate

CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents

Framework Coverage

Which controls from this module are active under each framework endpoint. ● enforced by default · ○ not activated by this endpoint

ControlPCI DSS v4.0FFIEC Cybersecurity Assessment ToolNIST SP 800-53 Rev 5NIST Cybersecurity Framework v2.0Title 21 CFR Part 11CISA Cyber EssentialsHIPAA Omnibus Rule 2013RBI Cyber Security Framework for UCBs
Redshift clusters should have audit logging enabled
Redshift clusters should have automatic snapshots enabled
Redshift clusters should have automatic upgrades to major versions enabled
Redshift clusters should be encrypted with CMK
Redshift cluster encryption in transit should be enabled
Redshift clusters should have audit logging and encryption enabled
Redshift clusters should have enhanced VPC routing enabled
Redshift clusters should have KMS encryption enabled
Redshift clusters should have required maintenance settings
Redshift clusters should have Multi-AZ deployments enabled
Redshift clusters should not use the default admin username
Redshift clusters should not use the default database name
Redshift clusters should prohibit public access

Showing top 8 frameworks by coverage. All framework endpoints →