- CNS Policies
- AWS Knowledge Base
- Amazon Redshift
-
AWS Knowledge Base
- Amazon EKS
- Amazon RDS
- Amazon Kinesis
- AWS Organizations
- Amazon SQS (Simple Queue Service)
- AWS Cloudtrail
- AWS Certificate Manager
- AWS IAM
- AWS Workspaces
- Amazon S3
- AWS Systems Manager (AWS SSM)
- Amazon EC2
- Amazon Redshift
- Amazon EMR
- Amazon CloudFront
- Amazon DynamoDB
- Amazon Managed Workflows for Apache Airflow (MWAA)
- Amazon Route 53
- AWS Key Management Service (KMS)
- Amazon CloudWatch
- Amazon ElasticSearch
- AWS Database Migration Service
- AWS Config
- AWS X-Ray
- Amazon API Gateway
- Amazon Athena
- Amazon SageMaker
- AWS Elastic Load Balancing (ELB)
- AWS Lambda
- AWS Auto Scaling
- Amazon GuardDuty
- Amazon Elastic File System (Amazon EFS)
- Amazon Elastic Container Registry (Amazon ECR)
- AWS Glue
- Amazon Simple Notification Service (SNS)
- AWS Elastic Beanstalk
- AWS CodeBuild
- AWS Secrets Manager
- AWS Transfer Family
- Amazon Access Analyzer
-
Azure Knowledge Base
- Container Registries
- Azure Virtual Machines
- Network Security Group
- PostgreSQL
- Azure Monitor
- Azure Security Center
- SQL Databases
- SQL Servers
- Storage Accounts
- Azure Key Vaults
- Load Balancers
- App Services
- Azure Active Directory
- Activity Log
- Azure Policy
- Kubernetes Services
- Azure Resources
- Azure Cosmos DB
- CDN Profiles
- MySQL Servers
- Azure Virtual Network
- Azure Network Watcher
- Azure Cache for Redis
-
GCP Knowledge Base
- Google Cloud VPC
- Google Cloud IAM
- Google Cloud Load Balancing
- Google Cloud Logging
- Google Cloud Kubernetes Engine
- Google Cloud Pub/Sub
- Google Compute Engine
- Google Cloud Key Management Service (KMS)
- Google Cloud DNS
- Google Cloud Storage
- Google Cloud Dataproc
- Google Cloud SQL
- Google Cloud Spanner
- Google Cloud Deployment Manager
- Google Cloud BigQuery
- Google Cloud Dataflow
-
DigitalOcean Knowledge Base
Redshift Cluster Version Upgrade Disabled
Risk Level: Low
Description
This plugin ensures that version upgrade is enabled for Redshift clusters to automatically allow upgrades during the maintenance time interval. Redshift clusters should be configured to run the latest service software as with the updates, certain bugs and security vulnerabilities are fixed.
About the Service
Amazon RedShift: Amazon RedShift is a data warehouse with fast and secure data analyzing features. It is a powerful and robust service powered by Amazon to run SQL queries and even deploy ML (Machine Learning) models on the data. For additional monitoring benefits, it also provides access to real time operational analytics.
Impact
Running clusters on outdated software versions can have a serious impact on the security. Updated versions have all the previous explored security vulnerabilities fixed. If the cluster still runs on older versions, the attacker can take advantage of this vulnerability.
Steps to Reproduce
Using AWS Console-
- Log In to your AWS Console.
- Open the Amazon RedShift Console. You can use this link (https://console.aws.amazon.com/redshiftv2/) to navigate directly if already logged in.
- From the left navigation pane, click on Clusters.
- A list of clusters will be displayed. Select the cluster you want to examine by clicking on it’s Cluster Name.
- Move to the Maintenance tab.
- In the Maintenance detail, check the value of “Allow version upgrade”. If it is set to “No”, the vulnerability exists.
- Repeat steps for all the clusters you wish to examine.
Steps for Remediation
Using AWS CLI-- Configure the AWS CLI with your account credentials.
- Run the modify-cluster command which will remove the vulnerable statement.
aws redshift modify-cluster
--region <region_name>
--cluster-identifier <cluster_name>
--allow-version-upgrade - Repeat the steps for all the vulnerable Redshift clusters.