A significant upgrade to Amazon Web Services' (AWS) Redshift managed data warehouse service has been announced, with a focus on bolstering security for its users. The changes, which include disabling public accessibility to data and enabling database encryption by default, have been hailed as a "necessary evolution" by Loris Degioanni, Chief Technology Officer at Sysdig.
The enhancements, which apply to newly created clusters, Redshift Serverless workgroups, and clusters restored from snapshots, are designed to reinforce best practices in data security from the outset. This shift towards more secure defaults is seen as a crucial step in reducing the risk of potential misconfigurations, according to Sirish Chandrasekaran, Vice-President of Redshift.
One of the key changes is the disabling of public accessibility to data, which means that newly created clusters will only be accessible within a customer's virtual private cloud (VPC). If an administrator requires public access, they must explicitly override the default setting. Additionally, database encryption is now enabled by default, with the ability to create unencrypted clusters in the Redshift console removed. AWS will automatically encrypt clusters with an AWS-owned key if no key is specified.
Secure connections are also enforced by default, ensuring that communication between a customer's applications and the Amazon Redshift data warehouse is encrypted to protect the confidentiality and integrity of data in transit. A new default parameter group, "default.redshift-2.0", has been created, with the "require_ssl" parameter set to "true" by default.
Existing customers using custom parameter groups will not be affected by the changes, but AWS recommends updating the "require ssl" value to "true" to enhance the security of connections. The company has also advised customers who create unencrypted clusters using automated scripts or data sharing with unencrypted clusters to review their configurations to avoid potential disruptions.
Industry experts have welcomed the changes, with Degioanni noting that secure configurations are the first line of defense against security threats. He emphasized the importance of continuous monitoring, risk prioritization, and real-time threat detection in addition to strong defaults. Palo Alto Networks has also provided recommendations for Redshift admins, including ensuring proper access control and limiting identity and access roles to only those who need them.
The enhancements to Redshift's security defaults are seen as a significant step forward in promoting a "shift-left" mindset, where security is prioritized from the outset. As Degioanni cautioned, "While cloud providers provide a level of security for their underlying infrastructure and services, organizations remain responsible for protecting their own applications and data under a shared responsibility model."
In conclusion, the new security defaults for AWS Redshift are a welcome development in the ongoing effort to improve cloud security. As the use of cloud services continues to grow, it is essential that providers and users alike prioritize security to protect sensitive data and prevent potential breaches.