chore(aws): enhance metadata for redshift service (#9385)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

prowler/CHANGELOG.md

@@ -19,6 +19,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427)
 - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408)
 - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609)
+- Update AWS Redshift service metadata to new format [(#9385)](https://github.com/prowler-cloud/prowler/pull/9385)
 
 ---
 

prowler/providers/aws/services/redshift/redshift_cluster_audit_logging/redshift_cluster_audit_logging.metadata.json

@@ -1,32 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "redshift_cluster_audit_logging",
-  "CheckTitle": "Check if Redshift cluster has audit logging enabled",
+  "CheckTitle": "Redshift cluster has audit logging enabled",
-  "CheckType": [],
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+  ],
   "ServiceName": "redshift",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:redshift:region:account-id:cluster:cluster-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRedshiftCluster",
   "ResourceGroup": "analytics",
-  "Description": "Check if Redshift cluster has audit logging enabled",
+  "Description": "Amazon Redshift clusters are evaluated for **database audit logging** that exports connection, user, and user-activity events to Amazon S3 or CloudWatch.",
-  "Risk": "If logs are not enabled, monitoring of service use and threat analysis is not possible.",
+  "Risk": "Without audit logs, malicious logins and queries can evade detection, impacting **confidentiality** (data exfiltration), **integrity** (unauthorized user/role changes), and **availability** of investigations due to missing evidence for forensics and incident response.",
-  "RelatedUrl": "https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "aws redshift enable-logging --cluster-identifier <example_resource_id> --bucket-name <S3_BUCKET_NAME>",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/logging-policies/bc_aws_logging_12#cloudformation",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::Redshift::Cluster\n    Properties:\n      ClusterType: single-node\n      NodeType: dc2.large\n      DBName: mydb\n      MasterUsername: masteruser\n      MasterUserPassword: <PASSWORD>\n      # Critical: Enables Redshift audit logging to S3\n      LoggingProperties:\n        BucketName: <S3_BUCKET_NAME>  # Critical: Required to turn on logging\n```",
-      "Other": "https://docs.prowler.com/checks/aws/logging-policies/bc_aws_logging_12",
+      "Other": "1. Open the Amazon Redshift console and go to Clusters\n2. Select the target cluster and open the Properties tab\n3. In Database audit logging, click Edit\n4. Enable logging and select an S3 bucket\n5. Click Save changes",
-      "Terraform": "https://docs.prowler.com/checks/aws/logging-policies/bc_aws_logging_12#terraform"
+      "Terraform": "```hcl\nresource \"aws_redshift_cluster\" \"<example_resource_name>\" {\n  cluster_identifier = \"<example_resource_id>\"\n  node_type          = \"dc2.large\"\n  master_username    = \"masteruser\"\n  master_password    = \"SuperSecretPassw0rd!\"\n  cluster_type       = \"single-node\"\n\n  logging {\n    enable      = true                 # Critical: Turns on audit logging\n    bucket_name = \"<S3_BUCKET_NAME>\"  # Critical: S3 destination required\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable logs. Create an S3 lifecycle policy. Define use cases, metrics and automated responses where applicable.",
+      "Text": "Enable comprehensive **Redshift audit logging** and include user-activity events. Centralize logs in a protected destination, enforce **least privilege** access, retention, and immutability. Implement **alerts** for anomalous connections and queries as part of **defense in depth**.",
-      "Url": "https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html"
+      "Url": "https://hub.prowler.com/check/redshift_cluster_audit_logging"
     }
   },
   "Categories": [
-    "forensics-ready",
+    "logging",
-    "logging"
+    "forensics-ready"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/redshift/redshift_cluster_automated_snapshot/redshift_cluster_automated_snapshot.metadata.json

@@ -1,30 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "redshift_cluster_automated_snapshot",
-  "CheckTitle": "Check if Redshift Clusters have automated snapshots enabled",
+  "CheckTitle": "Redshift cluster has automated snapshots enabled",
-  "CheckType": [],
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+  ],
   "ServiceName": "redshift",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:redshift:region:account-id:cluster:cluster-name",
+  "ResourceIdTemplate": "",
-  "Severity": "medium",
+  "Severity": "high",
   "ResourceType": "AwsRedshiftCluster",
   "ResourceGroup": "analytics",
-  "Description": "Check if Redshift Clusters have automated snapshots enabled",
+  "Description": "**Amazon Redshift clusters** are evaluated for **automated snapshots** being enabled with a retention period `> 0`, confirming that periodic backups are created and retained.",
-  "Risk": "If backup is not enabled, data is vulnerable. Human error or bad actors could erase or modify data.",
+  "Risk": "Without **automated snapshots**, clusters lack recent recovery points, degrading **availability** and **integrity**.\n\nAccidental deletion, malicious changes, or failed ETL can cause data loss and prolonged recovery, increasing RPO/RTO and limiting effective forensic analysis.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Redshift.html",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Redshift.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "aws redshift modify-cluster --cluster-identifier <example_resource_id> --automated-snapshot-retention-period 1",
-      "NativeIaC": "",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable automated snapshots for a Redshift cluster\nResources:\n  <example_resource_name>:\n    Type: AWS::Redshift::Cluster\n    Properties:\n      ClusterType: single-node\n      NodeType: <NODE_TYPE>\n      DBName: <DB_NAME>\n      MasterUsername: <MASTER_USERNAME>\n      MasterUserPassword: <MASTER_PASSWORD>\n      AutomatedSnapshotRetentionPeriod: 1  # Critical: enables automated snapshots by retaining them for 1 day\n```",
-      "Other": "",
+      "Other": "1. Open the AWS Console and go to Amazon Redshift\n2. Select your cluster and click Modify\n3. Under Backup, set Automated snapshot retention period to 1 (or greater)\n4. Click Save changes and apply the modification",
-      "Terraform": ""
+      "Terraform": "```hcl\n# Terraform: Enable automated snapshots for a Redshift cluster\nresource \"aws_redshift_cluster\" \"<example_resource_name>\" {\n  cluster_identifier = \"<example_resource_id>\"\n  cluster_type       = \"single-node\"\n  node_type          = \"<NODE_TYPE>\"\n  database_name      = \"<DB_NAME>\"\n  master_username    = \"<MASTER_USERNAME>\"\n  master_password    = \"<MASTER_PASSWORD>\"\n\n  automated_snapshot_retention_period = 1  # Critical: enables automated snapshots by retaining them for 1 day\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable automated backup for production data. Define a retention period and periodically test backup restoration. A Disaster Recovery process should be in place to govern Data Protection approach",
+      "Text": "Enable **automated snapshots** with retention aligned to RPO/RTO. Enforce **least privilege** on snapshot access and use **encryption**. Regularly test restores and monitor backup health.\n\n*For resilience*, replicate snapshots to another Region/account and separate backup administration from data owners.",
-      "Url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Redshift.html"
+      "Url": "https://hub.prowler.com/check/redshift_cluster_automated_snapshot"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/redshift/redshift_cluster_automatic_upgrades/redshift_cluster_automatic_upgrades.metadata.json

@@ -1,30 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "redshift_cluster_automatic_upgrades",
-  "CheckTitle": "Check for Redshift Automatic Version Upgrade",
+  "CheckTitle": "Redshift cluster has automatic version upgrade enabled",
-  "CheckType": [],
+  "CheckType": [
+    "Software and Configuration Checks/Patch Management",
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
   "ServiceName": "redshift",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:redshift:region:account-id:cluster:cluster-name",
+  "ResourceIdTemplate": "",
-  "Severity": "high",
+  "Severity": "medium",
   "ResourceType": "AwsRedshiftCluster",
   "ResourceGroup": "analytics",
-  "Description": "Check for Redshift Automatic Version Upgrade",
+  "Description": "**Amazon Redshift clusters** have automatic major engine upgrades allowed via `AllowVersionUpgrade` so updates are applied during the maintenance window.",
-  "Risk": "Without automatic version upgrade enabled, a critical Redshift Cluster version can become severly out of date",
+  "Risk": "Without automatic upgrades, clusters can run **vulnerable engine versions**, enabling exploits against known flaws.\n\nAttackers may read or tamper data (**confidentiality/integrity**), and unresolved bugs can cause downtime (**availability**). Delayed patching increases exposure window and operational risk.",
-  "RelatedUrl": "https://docs.aws.amazon.com/redshift/latest/mgmt/managing-cluster-operations.html",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-modify-redshift-maintenance.html",
+    "https://docs.aws.amazon.com/redshift/latest/mgmt/managing-cluster-operations.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws redshift modify-cluster --cluster-identifier <cluster_id> --allow-version-upgrade",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/public-policies/public_9#cloudformation",
+      "NativeIaC": "```yaml\n# CloudFormation to ensure Redshift allows major version upgrades\nResources:\n  <example_resource_name>:\n    Type: AWS::Redshift::Cluster\n    Properties:\n      ClusterType: single-node\n      DBName: <db_name>\n      MasterUsername: <master_username>\n      MasterUserPassword: <master_user_password>\n      NodeType: <node_type>\n      AllowVersionUpgrade: true  # Critical: enables automatic major version upgrades during the maintenance window\n```",
-      "Other": "",
+      "Other": "1. Open the Amazon Redshift console\n2. Go to Clusters and select your cluster\n3. Click Edit (or Edit maintenance settings)\n4. Enable \"Major version upgrades\" (Allow version upgrade)\n5. Click Save changes",
-      "Terraform": "https://docs.prowler.com/checks/aws/general-policies/ensure-that-redshift-clusters-allow-version-upgrade-by-default#terraform"
+      "Terraform": "```hcl\n# Redshift cluster allowing automatic major version upgrades\nresource \"aws_redshift_cluster\" \"<example_resource_name>\" {\n  cluster_identifier = \"<example_resource_id>\"\n  node_type          = \"<node_type>\"\n  master_username    = \"<master_username>\"\n  master_password    = \"<master_user_password>\"\n\n  allow_version_upgrade = true  # Critical: enables automatic major version upgrades\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enabled AutomaticVersionUpgrade on Redshift Cluster",
+      "Text": "Enable `AllowVersionUpgrade` to keep clusters patched. Use a controlled maintenance window and an appropriate maintenance track; validate upgrades in staging before production.\n\nAlign with **secure-by-default** and **defense in depth**; keep tested backups and rollback plans. *Document justified exceptions and review regularly*.",
-      "Url": "https://docs.aws.amazon.com/redshift/latest/mgmt/managing-cluster-operations.html"
+      "Url": "https://hub.prowler.com/check/redshift_cluster_automatic_upgrades"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/redshift/redshift_cluster_encrypted_at_rest/redshift_cluster_encrypted_at_rest.metadata.json

@@ -1,29 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "redshift_cluster_encrypted_at_rest",
-  "CheckTitle": "Check if Redshift clusters are encrypted at rest.",
+  "CheckTitle": "Redshift cluster is encrypted at rest",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "redshift",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:redshift:region:account-id:cluster/cluster-name",
+  "ResourceIdTemplate": "",
-  "Severity": "medium",
+  "Severity": "critical",
   "ResourceType": "AwsRedshiftCluster",
   "ResourceGroup": "analytics",
-  "Description": "This control checks whether Amazon Redshift clusters are encrypted at rest. The control fails if a Redshift cluster isn't encrypted at rest.",
+  "Description": "**Amazon Redshift clusters** use **encryption at rest**. The evaluation inspects the cluster's encryption setting to determine if on-disk data and snapshots are protected with a managed key.",
-  "Risk": "Without encryption at rest, sensitive data stored in Redshift clusters is vulnerable to unauthorized access, which could lead to data breaches and regulatory non-compliance.",
+  "Risk": "Without **encryption at rest**, data blocks and snapshots can be read if storage media or backups are accessed by unauthorized parties. This compromises **confidentiality**, enabling bulk **data exfiltration** and exposure of sensitive analytics, which can facilitate further compromise.",
-  "RelatedUrl": "https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html",
+    "https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-10"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws redshift modify-cluster --cluster-identifier <cluster-id> --encrypted --kms-key-id <key-id>",
+      "CLI": "aws redshift modify-cluster --cluster-identifier <cluster-id> --encrypted",
-      "NativeIaC": "",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable at-rest encryption for a Redshift cluster\nResources:\n  <example_resource_name>:\n    Type: AWS::Redshift::Cluster\n    Properties:\n      ClusterIdentifier: \"<example_resource_id>\"\n      DBName: \"<DB_NAME>\"\n      MasterUsername: \"<MASTER_USERNAME>\"\n      MasterUserPassword: \"<MASTER_PASSWORD>\"\n      NodeType: \"<NODE_TYPE>\"\n      ClusterType: \"<CLUSTER_TYPE>\"\n      Encrypted: true  # Critical: enables encryption at rest to pass the check\n```",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-10",
+      "Other": "1. Open the AWS Management Console and go to Amazon Redshift\n2. Choose Clusters, then select your cluster\n3. Open the Properties tab > Database configurations > Edit > Edit encryption\n4. Select Enable encryption (use AWS-managed or a specific KMS key)\n5. Click Save changes",
-      "Terraform": ""
+      "Terraform": "```hcl\n# Terraform: Enable at-rest encryption for a Redshift cluster\nresource \"aws_redshift_cluster\" \"<example_resource_name>\" {\n  cluster_identifier = \"<example_resource_id>\"\n  node_type          = \"<NODE_TYPE>\"\n  cluster_type       = \"<CLUSTER_TYPE>\"\n  master_username    = \"<MASTER_USERNAME>\"\n  master_password    = \"<MASTER_PASSWORD>\"\n\n  encrypted = true  # Critical: enables encryption at rest to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable encryption at rest for your Redshift clusters using KMS to protect sensitive data from unauthorized access.",
+      "Text": "Enable **encryption at rest** for all clusters and prefer **customer-managed keys** (`CMEK`) for control and auditing. Apply **least privilege** to key usage, rotate keys, and restrict snapshot access and cross-Region copies. Monitor key health and access events as part of **defense-in-depth**.",
-      "Url": "https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html"
+      "Url": "https://hub.prowler.com/check/redshift_cluster_encrypted_at_rest"
     }
   },
   "Categories": [

prowler/providers/aws/services/redshift/redshift_cluster_enhanced_vpc_routing/redshift_cluster_enhanced_vpc_routing.metadata.json

@@ -1,33 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "redshift_cluster_enhanced_vpc_routing",
-  "CheckTitle": "Check if Redshift clusters are using enhanced VPC routing.",
+  "CheckTitle": "Redshift cluster has Enhanced VPC Routing enabled",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "redshift",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:redshift:region:account-id:cluster/cluster-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRedshiftCluster",
   "ResourceGroup": "analytics",
-  "Description": "This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled. Enhanced VPC routing forces all COPY and UNLOAD traffic between the cluster and data repositories to go through your VPC, allowing you to use VPC security features such as security groups and network access control lists.",
+  "Description": "**Amazon Redshift clusters** are assessed for the `EnhancedVpcRouting` setting, which routes all `COPY` and `UNLOAD` traffic between the cluster and data repositories through the VPC, enabling use of VPC security controls and logging.",
-  "Risk": "Without enhanced VPC routing, network traffic between the Redshift cluster and data repositories might bypass VPC-level security controls, increasing the risk of unauthorized access or data exfiltration.",
+  "Risk": "**Without enhanced VPC routing**, `COPY`/`UNLOAD` transfers can leave VPC oversight, reducing control and visibility.\n- VPC egress filtering and endpoint policies can be bypassed (confidentiality)\n- Limited flow-log telemetry (visibility)\n- Higher risk of unauthorized exfiltration or tampering (confidentiality, integrity)",
-  "RelatedUrl": "https://docs.aws.amazon.com/redshift/latest/mgmt/enhanced-vpc-enabling-cluster.html",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-7",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Redshift/enable-enhanced-vpc-routing.html",
+    "https://docs.aws.amazon.com/redshift/latest/mgmt/enhanced-vpc-routing.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws redshift modify-cluster --cluster-identifier <cluster-id> --enhanced-vpc-routing",
-      "NativeIaC": "",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable Enhanced VPC Routing on a Redshift cluster\nResources:\n  <example_resource_name>:\n    Type: AWS::Redshift::Cluster\n    Properties:\n      ClusterIdentifier: <example_resource_name>\n      ClusterType: single-node\n      NodeType: ra3.xlplus\n      DBName: dev\n      MasterUsername: <USERNAME>\n      MasterUserPassword: <PASSWORD>\n      EnhancedVpcRouting: true  # Critical: forces COPY/UNLOAD traffic through the VPC\n```",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-7",
+      "Other": "1. Open the AWS Console and go to Amazon Redshift\n2. Choose Provisioned clusters, select your cluster\n3. Click Actions > Modify\n4. In Network and security, turn on Enhanced VPC routing\n5. Click Save changes (apply immediately if prompted)",
-      "Terraform": ""
+      "Terraform": "```hcl\n# Terraform: Enable Enhanced VPC Routing on a Redshift cluster\nresource \"aws_redshift_cluster\" \"<example_resource_name>\" {\n  cluster_identifier  = \"<example_resource_name>\"\n  cluster_type        = \"single-node\"\n  node_type           = \"ra3.xlplus\"\n  master_username     = \"<USERNAME>\"\n  master_password     = \"<PASSWORD>\"\n  enhanced_vpc_routing = true  # Critical: routes COPY/UNLOAD via VPC\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable enhanced VPC routing for your Redshift clusters to enforce network traffic through your VPC and apply additional security controls.",
+      "Text": "Enable `EnhancedVpcRouting` and enforce **least privilege** egress:\n- Prefer private access with VPC endpoints and restrictive policies\n- Constrain outbound paths via security groups, NACLs, and routing\n- Monitor transfers with VPC Flow Logs\n\nThis strengthens **defense in depth** and **zero trust** for data movement.",
-      "Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Redshift/enable-enhanced-vpc-routing.html"
+      "Url": "https://hub.prowler.com/check/redshift_cluster_enhanced_vpc_routing"
     }
   },
   "Categories": [
-    "trust-boundaries"
+    "trust-boundaries",
+    "internet-exposed"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/redshift/redshift_cluster_in_transit_encryption_enabled/redshift_cluster_in_transit_encryption_enabled.metadata.json

@@ -1,29 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "redshift_cluster_in_transit_encryption_enabled",
-  "CheckTitle": "Check if connections to Amazon Redshift clusters are encrypted in transit.",
+  "CheckTitle": "Redshift cluster is encrypted in transit",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "redshift",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:redshift:region:account-id:cluster/cluster-name",
+  "ResourceIdTemplate": "",
-  "Severity": "medium",
+  "Severity": "high",
   "ResourceType": "AwsRedshiftCluster",
   "ResourceGroup": "analytics",
-  "Description": "This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The control fails if the Redshift cluster parameter 'require_SSL' isn't set to True.",
+  "Description": "**Amazon Redshift clusters** enforce **encryption in transit** by requiring **TLS** for client connections when `require_ssl` is enabled.\n\nThis evaluation identifies clusters where connections are not forced to use TLS.",
-  "Risk": "Without encryption in transit, connections to the Redshift cluster are vulnerable to eavesdropping or person-in-the-middle attacks, exposing sensitive data to unauthorized access.",
+  "Risk": "Allowing plaintext or optional TLS exposes SQL sessions to:\n- **Confidentiality** loss: credentials, queries, and results can be intercepted.\n- **Integrity** compromise: statements or data may be modified in transit.\n- **Availability** impact: session hijacking can disrupt workloads.",
-  "RelatedUrl": "https://docs.aws.amazon.com/redshift/latest/mgmt/security-encryption-in-transit.html",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/redshift/latest/mgmt/security-encryption-in-transit.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-2",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Redshift/redshift-parameter-groups-require-ssl.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws redshift modify-cluster-parameter-group --parameter-group-name <group-name> --parameters ParameterName=require_ssl,ParameterValue=true,ApplyType=static",
+      "CLI": "aws redshift modify-cluster-parameter-group --parameter-group-name <example_resource_name> --parameters ParameterName=require_ssl,ParameterValue=true",
-      "NativeIaC": "",
+      "NativeIaC": "```yaml\n# CloudFormation: Set require_ssl to true in the Redshift parameter group in use\nResources:\n  <example_resource_name>:\n    Type: AWS::Redshift::ClusterParameterGroup\n    Properties:\n      Description: Require SSL for Redshift connections\n      ParameterGroupFamily: redshift-1.0\n      Parameters:\n        - ParameterName: require_ssl   # CRITICAL: Enforces TLS for client connections\n          ParameterValue: true         # CRITICAL: Enable SSL requirement\n```",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-2",
+      "Other": "1. In the AWS Console, go to Amazon Redshift > Parameter groups\n2. Open the parameter group used by your cluster\n3. Click Edit parameters, set require_ssl to true, and Save\n4. Reboot the cluster to apply the static parameter change",
-      "Terraform": ""
+      "Terraform": "```hcl\n# Set require_ssl to true in the Redshift parameter group used by the cluster\nresource \"aws_redshift_parameter_group\" \"<example_resource_name>\" {\n  name   = \"<example_resource_name>\"\n  family = \"redshift-1.0\"\n\n  parameter {\n    name  = \"require_ssl\"   # CRITICAL: Enforces TLS for client connections\n    value = \"true\"          # CRITICAL: Enable SSL requirement\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that connections to Amazon Redshift clusters use encryption in transit by setting the 'require_ssl' parameter to True.",
+      "Text": "Require **TLS** for all Redshift connections by setting `require_ssl=true` and disallow plaintext.\n\nConfigure clients to validate certificates and prefer private network paths. Keep drivers/TLS policies current. Apply **least privilege** and **defense in depth** to limit exposure if transport security fails.",
-      "Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Redshift/redshift-parameter-groups-require-ssl.html"
+      "Url": "https://hub.prowler.com/check/redshift_cluster_in_transit_encryption_enabled"
     }
   },
   "Categories": [

prowler/providers/aws/services/redshift/redshift_cluster_multi_az_enabled/redshift_cluster_multi_az_enabled.metadata.json

@@ -1,31 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "redshift_cluster_multi_az_enabled",
-  "CheckTitle": "Check if Redshift clusters have Multi-AZ enabled.",
+  "CheckTitle": "Redshift cluster has Multi-AZ enabled",
-  "CheckType": [],
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
   "ServiceName": "redshift",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:redshift:region:account-id:cluster/cluster-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRedshiftCluster",
   "ResourceGroup": "analytics",
-  "Description": "This control checks whether Amazon Redshift clusters have Multi-AZ enabled.",
+  "Description": "**Amazon Redshift clusters** are evaluated for **Multi-AZ deployment** on provisioned `RA3` clusters, confirming compute spans two Availability Zones and is served via a single endpoint.",
-  "Risk": "Amazon Redshift supports multiple Availability Zones (Multi-AZ) deployments for provisioned RA3 clusters. By using Multi-AZ deployments, your Amazon Redshift data warehouse can continue operating in failure scenarios when an unexpected event happens in an Availability Zone.",
+  "Risk": "Absent **Multi-AZ**, a single-AZ cluster is exposed to AZ or node failures, leading to dropped connections, aborted queries, and stalled ETL/BI jobs. This reduces **availability**, increases RTO, delays analytics, and risks SLA breaches with cascading pipeline backlogs.",
-  "RelatedUrl": "https://docs.aws.amazon.com/redshift/latest/mgmt/managing-cluster-multi-az.html",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/redshift/latest/mgmt/managing-cluster-multi-az.html",
+    "https://docs.aws.amazon.com/redshift/latest/mgmt/overview-multi-az.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws redshift modify-cluster --cluster-identifier <cluster-id> --multi-az",
-      "NativeIaC": "",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable Multi-AZ on a Redshift cluster\nResources:\n  <example_resource_name>:\n    Type: AWS::Redshift::Cluster\n    Properties:\n      ClusterIdentifier: <example_resource_id>\n      MultiAZ: true  # Critical: enables Multi-AZ so the check passes\n```",
-      "Other": "",
+      "Other": "1. In the Amazon Redshift console, go to Clusters\n2. Select the target cluster\n3. Choose Actions > Activate Multi-AZ\n4. Confirm and wait until the cluster shows Multi-AZ: Yes",
-      "Terraform": ""
+      "Terraform": "```hcl\n# Enable Multi-AZ on a Redshift cluster\nresource \"aws_redshift_cluster\" \"<example_resource_name>\" {\n  cluster_identifier = \"<example_resource_id>\"\n  multi_az           = true  # Critical: enables Multi-AZ so the check passes\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure Amazon Redshift with Multi-AZ deployments.",
+      "Text": "Enable **Multi-AZ deployments** for provisioned `RA3` clusters to avoid single-AZ dependency. Align designs to **fault tolerance** and **high availability**: provision sufficient capacity, implement client/ETL retries and reconnects, validate failover periodically, and monitor performance and error rates.",
-      "Url": "https://docs.aws.amazon.com/redshift/latest/mgmt/managing-cluster-multi-az.html"
+      "Url": "https://hub.prowler.com/check/redshift_cluster_multi_az_enabled"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/redshift/redshift_cluster_non_default_database_name/redshift_cluster_non_default_database_name.metadata.json

@@ -1,32 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "redshift_cluster_non_default_database_name",
-  "CheckTitle": "Check if Redshift clusters are using the default database name.",
+  "CheckTitle": "Redshift cluster does not use the default database name dev",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "TTPs/Discovery"
   ],
   "ServiceName": "redshift",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:redshift:region:account-id:cluster/cluster-name",
+  "ResourceIdTemplate": "",
-  "Severity": "medium",
+  "Severity": "low",
   "ResourceType": "AwsRedshiftCluster",
   "ResourceGroup": "analytics",
-  "Description": "This control checks whether an Amazon Redshift cluster has changed the database name from its default value. The control fails if the database name is set to 'dev'.",
+  "Description": "**Amazon Redshift clusters** are identified when the database name equals the default `dev`, rather than a custom name.",
-  "Risk": "Using the default database name 'dev' increases the risk of unintended access, as it is publicly known and could be used in IAM policy conditions to inadvertently allow access.",
+  "Risk": "Using the predictable `dev` name weakens **confidentiality** and **integrity**. Mis-scoped IAM or network rules may unintentionally match the database, and known names aid enumeration and targeted connection attempts, increasing the likelihood of unauthorized queries and data exposure.",
-  "RelatedUrl": "https://docs.aws.amazon.com/redshift/latest/gsg/getting-started.html",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-9",
+    "https://docs.aws.amazon.com/redshift/latest/gsg/getting-started.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws redshift create-cluster --cluster-identifier <cluster-id> --db-name <new-db-name>",
+      "CLI": "",
-      "NativeIaC": "",
+      "NativeIaC": "```yaml\n# CloudFormation: Create a Redshift cluster with a non-default DB name\nResources:\n  <example_resource_name>:\n    Type: AWS::Redshift::Cluster\n    Properties:\n      ClusterType: single-node\n      NodeType: <NODE_TYPE>\n      MasterUsername: <MASTER_USERNAME>\n      MasterUserPassword: <MASTER_PASSWORD>\n      DBName: <new-db-name>  # Critical: set initial database name to a value other than \"dev\" to pass the check\n```",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-9",
+      "Other": "1. In the AWS Management Console, go to Amazon Redshift > Provisioned clusters\n2. Click Create cluster\n3. In Database configurations, set Database name to a value that is not \"dev\"\n4. Complete the wizard and create the cluster\n5. Migrate workloads to the new cluster and delete the old cluster that used the default \"dev\" database name",
-      "Terraform": ""
+      "Terraform": "```hcl\n# Terraform: Redshift cluster with non-default database name\nresource \"aws_redshift_cluster\" \"example\" {\n  cluster_identifier = \"<example_resource_id>\"\n  node_type          = \"<NODE_TYPE>\"\n  cluster_type       = \"single-node\"\n  master_username    = \"<MASTER_USERNAME>\"\n  master_password    = \"<MASTER_PASSWORD>\"\n  database_name      = \"<new-db-name>\" # Critical: ensure this is not \"dev\" to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Create a new Redshift cluster with a unique database name to replace the default 'dev' database name.",
+      "Text": "Use a **unique, non-default database name** per cluster. Define a naming standard that avoids generic values (e.g., `dev`, `test`) and supports **least privilege** by preventing broad policy conditions. Review IAM and network rules to reference only intended, explicit resources.",
-      "Url": "https://docs.aws.amazon.com/redshift/latest/gsg/getting-started.html"
+      "Url": "https://hub.prowler.com/check/redshift_cluster_non_default_database_name"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/redshift/redshift_cluster_non_default_username/redshift_cluster_non_default_username.metadata.json

@@ -1,32 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "redshift_cluster_non_default_username",
-  "CheckTitle": "Check if Amazon Redshift clusters are using the default Admin username.",
+  "CheckTitle": "Amazon Redshift cluster does not use the default admin username",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "TTPs/Initial Access/Unauthorized Access"
   ],
   "ServiceName": "redshift",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:redshift:region:account-id:cluster/cluster-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsRedshiftCluster",
   "ResourceGroup": "analytics",
-  "Description": "This control checks whether an Amazon Redshift cluster has changed the admin username from its default value. The control fails if the admin username is set to 'awsuser'.",
+  "Description": "**Amazon Redshift clusters** are assessed for use of a **non-default admin username**; clusters using the known default `awsuser` are identified.",
-  "Risk": "Using the default admin username increases the risk of unauthorized access, as default credentials are publicly known and often targeted by attackers.",
+  "Risk": "Default admin names make accounts predictable, enabling username enumeration, password spraying, and brute-force attempts. A takeover can expose warehouse data (**confidentiality**), enable unauthorized queries or schema changes (**integrity**), and disrupt analytics workloads (**availability**).",
-  "RelatedUrl": "https://docs.aws.amazon.com/redshift/latest/gsg/rs-gsg-prereq.html",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-8",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Redshift/master-username.html",
+    "https://docs.aws.amazon.com/redshift/latest/gsg/rs-gsg-prereq.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws redshift create-cluster --cluster-identifier <cluster-id> --master-username <new-username> --master-user-password <password>",
+      "CLI": "",
-      "NativeIaC": "",
+      "NativeIaC": "```yaml\n# CloudFormation: Redshift cluster with non-default admin username\nResources:\n  <example_resource_name>:\n    Type: AWS::Redshift::Cluster\n    Properties:\n      ClusterType: single-node\n      NodeType: <example_node_type>\n      MasterUsername: <new-username>  # Critical: not 'awsuser' to pass the check\n      MasterUserPassword: <password>\n```",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/redshift-controls.html#redshift-8",
+      "Other": "1. In the Amazon Redshift console, choose Create cluster\n2. Set Admin user name to a value other than awsuser (critical)\n3. Enter the required minimal settings (password, node type) and create the cluster\n4. Migrate data from the old cluster if needed\n5. Delete the old cluster that uses the awsuser admin to remove the failing resource",
-      "Terraform": ""
+      "Terraform": "```hcl\nresource \"aws_redshift_cluster\" \"<example_resource_name>\" {\n  cluster_identifier = \"<example_resource_id>\"\n  node_type          = \"<example_node_type>\"\n  cluster_type       = \"single-node\"\n  master_username    = \"<new-username>\"  # Critical: not 'awsuser' to pass the check\n  master_password    = \"<password>\"\n}\n```"
     },
     "Recommendation": {
-      "Text": "Change the default admin username by creating a new Redshift cluster with a unique admin username.",
+      "Text": "Use a **unique, non-predictable** admin username at creation instead of `awsuser`. Apply **least privilege** by using dedicated roles and limiting superuser use. Enforce strong authentication, rotate credentials, and audit access. *For existing clusters*, create a new one with a unique admin and migrate.",
-      "Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Redshift/master-username.html"
+      "Url": "https://hub.prowler.com/check/redshift_cluster_non_default_username"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/redshift/redshift_cluster_public_access/redshift_cluster_public_access.metadata.json

@@ -1,27 +1,35 @@
 {
   "Provider": "aws",
   "CheckID": "redshift_cluster_public_access",
-  "CheckTitle": "Check for Publicly Accessible Redshift Clusters",
+  "CheckTitle": "Redshift cluster is not publicly exposed to the Internet",
-  "CheckType": [],
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+  ],
   "ServiceName": "redshift",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:redshift:region:account-id:cluster:cluster-name",
+  "ResourceIdTemplate": "",
-  "Severity": "high",
+  "Severity": "critical",
   "ResourceType": "AwsRedshiftCluster",
   "ResourceGroup": "analytics",
-  "Description": "Check for Publicly Accessible Redshift Clusters",
+  "Description": "Amazon Redshift clusters with `publicly accessible` endpoints in **public subnets** and security groups allowing TCP from `0.0.0.0/0` or `::/0` are identified as internet-exposed.\n\nPublic endpoints without internet reachability due to private subnets or restrictive rules are recognized separately.",
-  "Risk": "Publicly accessible services could expose sensitive data to bad actors.",
+  "Risk": "Internet-exposed Redshift endpoints allow direct DB access from any host, impacting:\n- **Confidentiality**: credential brute force, unauthorized queries, data exfiltration\n- **Integrity**: unauthorized writes or schema changes\n- **Availability**: scanning/abuse leading to connection exhaustion or disruption",
-  "RelatedUrl": "https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/de_de/redshift/latest/mgmt/rs-ra3-VPC-public-private.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Redshift/redshift-cluster-publicly-accessible.html",
+    "https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws redshift modify-cluster --cluster-identifier <CLUSTER_ID> --no-publicly-accessible",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/public-policies/public_9#cloudformation",
+      "NativeIaC": "```yaml\n# CloudFormation: Redshift cluster not publicly accessible\nResources:\n  <example_resource_name>:\n    Type: AWS::Redshift::Cluster\n    Properties:\n      ClusterType: single-node\n      DBName: <example_db_name>\n      MasterUsername: <example_username>\n      MasterUserPassword: <example_password>\n      NodeType: dc2.large\n      PubliclyAccessible: false  # Critical: disables public access to prevent Internet exposure\n```",
-      "Other": "https://docs.prowler.com/checks/aws/public-policies/public_9",
+      "Other": "1. Open the AWS Management Console and go to Amazon Redshift\n2. Select your cluster\n3. Click Edit (or Actions > Modify)\n4. Set Publicly accessible to Off/No\n5. Save changes and apply the modification",
-      "Terraform": "https://docs.prowler.com/checks/aws/public-policies/public_9#terraform"
+      "Terraform": "```hcl\n# Redshift cluster not publicly accessible\nresource \"aws_redshift_cluster\" \"<example_resource_name>\" {\n  cluster_identifier  = \"<example_resource_id>\"\n  node_type           = \"dc2.large\"\n  cluster_type        = \"single-node\"\n  master_username     = \"<example_username>\"\n  master_password     = \"<example_password>\"\n\n  publicly_accessible = false  # Critical: disables public access to prevent Internet exposure\n}\n```"
     },
     "Recommendation": {
-      "Text": "List all shared Redshift clusters and make sure there is a business reason for them.",
+      "Text": "Prefer **private connectivity**: disable public access, place clusters in private subnets, and apply **least privilege** security groups limited to trusted CIDRs or VPC sources. Use **defense in depth** with VPN/peering/endpoints, strong authentication, and monitoring. Avoid `0.0.0.0/0` or `::/0` to database ports.",
-      "Url": "https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html"
+      "Url": "https://hub.prowler.com/check/redshift_cluster_public_access"
     }
   },
   "Categories": [