Terraform AWS Redshift
Redshift clusters or serverless workgroups with VPC networking, encryption, audit logging, snapshot settings, parameter groups, enhanced VPC routing, and controlled access.
Controls enforced
These compliance controls are checked at terraform plan time.
- Redshift clusters should have audit logging enabled(low effort)
- Redshift clusters should have automatic snapshots enabled(low effort)
- Redshift clusters should have automatic upgrades to major versions enabled(low effort)
- Redshift clusters should be encrypted with CMK(low effort)
- Redshift cluster encryption in transit should be enabled(low effort)
- Redshift clusters should have audit logging and encryption enabled(low effort)
- Redshift clusters should have enhanced VPC routing enabled(low effort)
- Redshift clusters should have KMS encryption enabled(low effort)
- Redshift clusters should have required maintenance settings(low effort)
- Redshift clusters should have Multi-AZ deployments enabled(low effort)
- Redshift clusters should not use the default admin username(low effort)
- Redshift clusters should not use the default database name(low effort)
- Redshift clusters should prohibit public access(low effort)
Quick start
module "redshift" {
source = "pcidss.compliance.tf/terraform-aws-modules/redshift/aws"
version = "1.0"
# ... your arguments here
}module "redshift" {
source = "ffiec.compliance.tf/terraform-aws-modules/redshift/aws"
version = "1.0"
# ... your arguments here
}module "redshift" {
source = "nist80053.compliance.tf/terraform-aws-modules/redshift/aws"
version = "1.0"
# ... your arguments here
}module "redshift" {
source = "nistcsf.compliance.tf/terraform-aws-modules/redshift/aws"
version = "1.0"
# ... your arguments here
}module "redshift" {
source = "cfrpart11.compliance.tf/terraform-aws-modules/redshift/aws"
version = "1.0"
# ... your arguments here
}module "redshift" {
source = "cisacyberessentials.compliance.tf/terraform-aws-modules/redshift/aws"
version = "1.0"
# ... your arguments here
}module "redshift" {
source = "hipaa.compliance.tf/terraform-aws-modules/redshift/aws"
version = "1.0"
# ... your arguments here
}module "redshift" {
source = "rbicybersecurity.compliance.tf/terraform-aws-modules/redshift/aws"
version = "1.0"
# ... your arguments here
}See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.
Migration from upstream
Already using terraform-aws-modules? Change only the source URL:
module "redshift" {
source = "terraform-aws-modules/redshift/aws"
version = "1.0"
}module "redshift" {
source = "soc2.compliance.tf/terraform-aws-modules/redshift/aws"
version = "1.0"
}Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.
Reversibility
No lock-in. Switch back by reverting the source URL:
module "redshift" {
source = "terraform-aws-modules/redshift/aws"
}Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.
Mapped compliance frameworks
1.2.5: Network security controls (NSCs) are configured and maintained.
1.2.8: Network security controls (NSCs) are configured and maintained.
1.3.1: Network access to and from the cardholder data environment is restricted.
1.3.2: Network access to and from the cardholder data environment is restricted.
1.4.1: Network connections between trusted and untrusted networks are controlled.
1.4.2: Network connections between trusted and untrusted networks are controlled.
1.4.4: Network connections between trusted and untrusted networks are controlled.
1.4.4: System components that store cardholder data are not directly accessible from untrusted networks
1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks
1.5.1: Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.
10.2.1.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.3: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.4: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.5: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.6: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.7: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.3.1: Audit logs are protected from destruction and unauthorized modifications.
10.3.2: Audit logs are protected from destruction and unauthorized modifications.
10.3.3: Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify
10.3.3: Audit logs are protected from destruction and unauthorized modifications.
10.6.3: Time-synchronization mechanisms support consistent time settings across all systems.
2.2.5: System components are configured and managed securely.
2.2.5: System components cannot be compromised by exploiting insecure services, protocols, or daemons
2.2.7: System components are configured and managed securely.
3.5.1.3: Primary account number (PAN) is secured wherever it is stored.
3.5.1: Primary account number (PAN) is secured wherever it is stored.
4.2.1.1: An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained
4.2.1.1: PAN is protected with strong cryptography during transmission.
4.2.1: PAN is protected with strong cryptography during transmission.
5.3.4: Anti-malware mechanisms and processes are active, maintained, and monitored.
6.3.3: All system components are protected from known vulnerabilities by installing applicable security patches/updates
6.3.3: Security vulnerabilities are identified and addressed.
8.3.2: Strong authentication for users and administrators is established and managed.
8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components
A1.1.2: Multi-tenant service providers protect and separate all customer environments and data.
A1.1.3: Multi-tenant service providers protect and separate all customer environments and data.
A1.2.1: Multi-tenant service providers facilitate logging and incident response for all customers.
A1.2.3: Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities
A3.4.1: Logical access to the cardholder data environment is controlled and managed.
D1.RM.Rm.B.1
D2.MA.Ma.B.1
D2.MA.Ma.B.2
D3.CC.PM.B.1
D3.CC.PM.B.3
D3.DC.An.B.4
D3.DC.Ev.B.1
D3.PC.Am.B.12
D3.PC.Im.B.1
AC-17(1) Monitoring And Control
AC-17(10) Authenticate Remote Commands
AC-17(9) Disconnect Or Disable Access
AC-2(4) Automated Audit Actions
AC-2(6) Dynamic Privilege Management
AC-3(1) Restricted Access To Privileged Functions
AC-3(10) Audited Override Of Access Control Mechanisms
AC-3(7): Role-Based Access Control
AC-4(21) Physical Or Logical Separation Of Infomation Flows
AC-4(26) Audit Filtering Actions
AC-6(9)
AC-6: Least Privilege
AU-12(1) System-Wide And Time-Correlated Audit Trial
AU-12(2) Standardized Formats
AU-12(3) Changes By Authorized Individuals
AU-12(4) Query Parameter Audits Of Personally Identifiable Information
AU-12(a)
AU-12(c)
AU-14(3) Remote Viewing And Listening
AU-14(a)
AU-14(b)
AU-2(b)
AU-3(a)
AU-3(b)
AU-3(c)
AU-3(d)
AU-3(e)
AU-3(f)
AU-6(3) Correlate Audit Record Repositories
AU-6(4) Central Review And Analysis
AU-6(6) Correletion With Physical Monitoring
AU-6(9) Correletion With From Nontechnical Sources
AU-8(b)
AU-9(3) Cryptographic Protection
Access Enforcement (AC-3)
CA-7(b)
CM-2(b)
CM-3(3) Automated Change Implementation
CM-5(1)(b)
CP-1(2)
CP-10(2): Transaction Recovery
CP-2(5) Continue Mission And Business Functions
CP-6(1) Separation From Primary Site
CP-6(2) Recovery Time And Recovery Point Objectives
CP-6(a)
CP-9(a)
CP-9(b)
CP-9(c)
CP-9(d)
Continuous Monitoring Strategy (PM-31)
IA-3(3)(b)
MA-4(1)(a)
Media Access (MP-2)
Non-Repudiation (AU-10)
PM-14(a)(1)
PM-14(b)
SC-13(a)
SC-28(1): Cryptographic Protection
SC-5(2) Capacity, Bandwidth, And Redundancy
SC-7(11) Restrict Incoming communications Traffic
SC-7(12) Host-Based Protection
SC-7(16) Prevent Discovery Of System Components
SC-7(2) Public Access
SC-7(20) Prevent Discovery Of System Components
SC-7(21) Isolation Of System Components
SC-7(25) Unclassified National Security System Connections
SC-7(26) Classified National Security System Connections
SC-7(27) Unclassified Non-National Security System Connections
SC-7(28): Connections To Public Networks
SC-7(3) Access Points
SC-7(7) Split Tunneling For Remote Devices
SC-7(9)(b)
SC-8(3) Cryptographic Protection For Message Externals
SC-8(4) Conceal Or Ramdomize Communications
SI-1(1)(c)
SI-10(1)(c)
SI-13(5) Failover Capability
SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers
SI-2(2) Automated Flaw Remediation Status
SI-2(5): Automatic Software And Firmware Updates
SI-2(c)
SI-2(d)
SI-3(8)(b)
SI-4(17) Integrated Situational Awareness
SI-4(2) Automated Tools For Real-Time Analysis
SI-4(20) Privileged Users
SI-7(8) Auditing Capability For Significant Events
System Recovery And Reconstitution (CP-10)
Thin Nodes (SC-25)
ID.BE-5
PR.DS-1
11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records
11.10(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period
11.10(d) Limiting system access to authorized individuals
11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records
11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand
11.10(k) Use of appropriate controls over systems documentation that includes adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance
Booting Up: Things to Do First-1
Booting Up: Things to Do First-3
Your Data-1
Your Data-2
Your Data-4
Your Systems-2
164.308(a)(1)(ii)(B) Risk Management
164.308(a)(1)(ii)(D): Administrative Safeguards
164.308(a)(3)(i) Workforce security
164.308(a)(3)(ii)(A) Authorization and/or supervision
164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions
164.308(a)(7)(i) Contingency plan
164.308(a)(7)(ii)(A) Data backup plan
164.308(a)(7)(ii)(B) Disaster recovery plan
164.308(a)(7)(ii)(C) Emergency mode operation plan
164.312(a)(1) Access control
164.312(a)(2)(ii) Emergency access procedure
164.312(a)(2)(iv) Encryption and decryption
164.312(b) Audit controls
164.312(e)(1) Transmission security
164.312(e)(2)(ii) Encryption
164.314(b)(2)(iv): Organizational Requirements
Annex I (1.3)
Annex I (12)
Annex I (6)
Framework coverage
Which controls from this module are active under each framework endpoint.
● enforced by default · ○ not activated by this endpoint