AWS Redshift Cluster Snapshot Based Scanning

Support for Redshift Cluster Snapshot based scan is available from AWS CFT version 67 and above.

For Redshift Cluster in AWS, if direct connectivity is not available, the snapshot based scan approach can be leveraged.

Steps for AWS Redshift Cluster Snapshot Based Scanning

These are the steps that the DSPM Data Scanner automation will use to scan Redshift Cluster Snapshots. No user action is required.

For each Redshift Cluster instance, check if the snapshot is available.
If the snapshot is available, recreate the Redshift instance in the DSPM VPC or existing VPC which is designated to be used using the latest snapshot, and configure the DSPM credential for instance access.
Connect to the cluster instance, fetch the data and run scan.
Delete the recreated cluster instance from the VPC where it is created.

Permissions Required

Permissions required for the DSPM Data Scanner to restore Redshift Cluster Snapshots

# Grants permission to restore Redshift cluster snapshot
          - Sid: RedshiftPermissionForRestoreSnapshot
            Action:
            - redshift:RestoreFromClusterSnapshot
            Effect: Allow
            Resource:
             - !Sub "arn:aws:redshift:*:${AWS::AccountId}:snapshot:*"
             - !Sub "arn:aws:redshift:*:${AWS::AccountId}:cluster:*"
          # Grants permission for restoring,tagging and deleting normalyze created redshift cluster subnet group.
          - Sid: RedshiftPermissionForCreateDeleteNormalyzeSubnetGroup
            Action:
            - redshift:CreateClusterSubnetGroup
            - redshift:DeleteClusterSubnetGroup
            - redshift:CreateTags
            Effect: Allow
            Resource:
             - !Sub "arn:aws:redshift:*:${AWS::AccountId}:subnetgroup:normalyze*"
                                            

Permissions required in DSPM group to delete and modify restored Redshift cluster

# Grants permission to delete or modify Redshift cluster conditionally which are tagged with normalyze-onboardingid.
          - Sid: RedshiftPermissionForModifyRestoredCluster
            Action:
            - redshift:ModifyCluster
            - redshift:DeleteCluster
            Effect: Allow
            Resource:
             - !Sub "arn:aws:redshift:*:${AWS::AccountId}:cluster:*"  
            Condition:
              StringEquals:
                "aws:ResourceTag/Name": "Normalyze-{{ONBOARDING_ID}}"
          # Grants permission to tag only the cluster restored by Normalyze, with cluster name beginning with 'normalyze'.
          - Sid: RedshiftPermissionForTaggingRestoredCluster
            Action:
            - redshift:createTags
            Effect: Allow
            Resource:
            # cluster restored by Normalyze begins with 'normalyze'
             - !Sub "arn:aws:redshift:*:${AWS::AccountId}:cluster:normalyze*"
                                            