Deferred Maintenance

Risk level: Medium (should be achieved)

Rule ID: RS-024

Ensure that deferred maintenance is enabled for all your AWS Redshift clusters in order to keep your data warehouse running without interruption during critical business periods. Amazon Redshift service gives you the option to defer maintenance for your clusters by up to 14 days.

This rule can help you with the following compliance standards:

NIST 800-53 (Rev. 4)

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Reliability

If your organization runs mission critical workloads on Amazon Redshift, during high business activity period, you might want to defer the scheduled maintenance to a less busy interval. With the Deferred Maintenance feature you can postpone scheduled maintenance up to 14 days. During this time, AWS Redshift does not apply any software updates.

Note: The deferred maintenance period is overridden if a mandatory hardware replacement is scheduled on your Redshift cluster. In this case you will get an event notification via AWS Management Console and the SNS subscription available.

Audit

To determine if your Amazon Redshift clusters have deferred maintenance enabled, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.

03 In the left navigation panel, under Redshift Dashboard, click Clusters.

04 Choose the Redshift cluster that you want to examine, then click on its identifier/name (link), listed in the Cluster column.

05 On the selected cluster Configuration tab, in the Backup, Audit Logging, and Maintenance section, verify the Defer maintenance configuration attribute value. If the attribute does not have a value (i.e. a time frame) assigned, instead a Set it now link is displayed, the Deferred Maintenance feature is not enabled for the selected Amazon Redshift cluster.

06 Repeat step no. 4 and 5 to verify the feature for other Redshift clusters available in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-clusters command (OSX/Linux/UNIX) using custom query filters to list the identifiers (names) of all AWS Redshift clusters currently available in the selected region:

aws redshift describe-clusters
	--region us-east-1
	--output table
	--query 'Clusters[*].ClusterIdentifier'

02 The command output should return a table with the requested cluster names:

--------------------------
|    DescribeClusters    |
+------------------------+
|  cc-warehouse-cluster  |
|  cc-project5-cluster   |
+------------------------+

03 Run again describe-clusters command (OSX/Linux/UNIX) using the name of the cluster that you want to examine as identifier and custom query filters to describe the details of the deferred maintenance window set for the selected cluster:

aws redshift describe-clusters
	--region us-east-1
	--cluster-identifier cc-warehouse-cluster
	--query 'Clusters[*].DeferredMaintenanceWindows[]'

04 The command output should return an array with the requested configuration details:

[
   []
]

If the returned output is an empty array, i.e. [], the Deferred Maintenance feature is not enabled for the selected Amazon Redshift cluster, therefore routine maintenance is not suspended during critical business periods.

05 Repeat step no. 3 and 4 to determine the deferred maintenance window configuration (if any) for other Redshift clusters available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire audit process for other regions.

Remediation / Resolution

To modify your Amazon Redshift clusters configuration in order to enable and configure deferred maintenance, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.

03 In the left navigation panel, under Redshift Dashboard, click Clusters.

04 Choose the AWS Redshift cluster that you want to modify (see Audit section part I to identify the right resource), then click on its name (link) listed in the Cluster column.

05 On the selected cluster Configuration tab, click the Cluster dropdown button from the dashboard top menu and select Modify.

06 Inside the Modify cluster dialog box, select the Maintenance settings tab and within Maintenance window settings section, perform the following actions:

Select Defer maintenance checkbox to enable the feature and show its configuration panel.
Use From and To datepicker forms to set the start and the end of the time period when you don’t want maintenance actions performed.
Once the preferred deferred maintenance window is configured, click Modify to apply the configuration changes.

07 Repeat steps no. 4 – 6 to enable and configure deferred maintenance for other Redshift clusters provisioned within the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run modify-cluster-maintenance command (OSX/Linux/UNIX) using the name of the cluster that you want to modify as identifier (see Audit section part II to identify the right Redshift resource) to enable and configure the Deferred Maintenance feature for the specified Amazon Redshift cluster. Use --defer-maintenance-start-time and --defer-maintenance-end-time parameters to define your own deferred maintenance window (UTC time):

aws redshift modify-cluster-maintenance
	--region us-east-1
	--cluster-identifier cc-warehouse-cluster
	--defer-maintenance
	--defer-maintenance-start-time 2019-01-24T12:00:00Z
	--defer-maintenance-end-time 2019-01-31T12:00:00Z

02 The command output should return the metadata available for the selected AWS Redshift cluster:

{
    "Cluster": {
        "PubliclyAccessible": true,
        "MasterUsername": "cc_wh_user",
        "NumberOfNodes": 2,
        "VpcId": "vpc-abcd1234",
        "ClusterVersion": "1.0",
        "ManualSnapshotRetentionPeriod": -1,
        "AutomatedSnapshotRetentionPeriod": 1,
        "DBName": "cc_wh_db",
        "PreferredMaintenanceWindow": "tue:06:00-tue:06:30",
 
        ...
 
        "DeferredMaintenanceWindows": [
            {
                "DeferMaintenanceStartTime": "2019-01-24T12:00:00Z",
                "DeferMaintenanceIdentifier": "dfm-AABBCCDDAABBCCDDAABB",
                "DeferMaintenanceEndTime": "2019-01-31T12:00:00Z"
            }
        ],
 
        ...
 
        "AllowVersionUpgrade": true,
        "MaintenanceTrackName": "current",
        "ClusterCreateTime": "2019-01-23T11:51:34.880Z",
        "ClusterSubnetGroupName": "default",
        "EnhancedVpcRouting": false,
        "ClusterIdentifier": "cc-warehouse-cluster",
        "AvailabilityZone": "us-east-1a",
        "NodeType": "dc2.large",
        "ClusterStatus": "available"
    }
}

03 Repeat step no. 1 and 2 to enable and configure deferred maintenance for other Redshift clusters provisioned in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 for other regions.

References

AWS Command Line Interface (CLI) Documentation
redshift
describe-clusters
modify-cluster-maintenance

Publication date Jan 29, 2019

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Deferred Maintenance

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related Redshift rules