Ensure Redshift cluster is not publicly accessible

ID

redshift_cluster_public_access

Severity

critical

Vendor

AWS

Resource

Redshift

Tags

reachable

Description

An Amazon Redshift data warehouse is a collection of computing resources called nodes, which are organized into a group called a cluster. Each cluster runs an Amazon Redshift engine and contains one or more databases.

Keeping Redshift cluster confined into the VPC is the preferable option from a security perspective.

Public access to a Redshift cluster can increase the opportunity for malicious activity such as SQL injections or Distributed Denial of Service (DDoS) attacks.

Examples

CloudFormation

{
  "Resources": {
    "RedshiftCluster": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "DBName": "mydb",
        "MasterUsername": "master",
        "MasterUserPassword": "MasterUserPassword",
        "NodeType": "ds2.xlarge",
        "ClusterType": "single-node",
        "Encrypted": true,
        "PubliclyAccessible": true (1)
      }
    }
  }
}
1 PubliclyAccessible set to true means Redshift Cluster is publicly accessible. 
Resources:
  RedshiftCluster:
    Type: "AWS::Redshift::Cluster"
    Properties:
      DBName: "mydb"
      MasterUsername: "master"
      MasterUserPassword: "MasterUserPassword"
      NodeType: "ds2.xlarge"
      ClusterType: "single-node"
      Encrypted: true
      PubliclyAccessible": true (1)
1 PubliclyAccessible set to true means Redshift Cluster is publicly accessible.

Terraform

resource "aws_redshift_cluster" {
  cluster_identifier                  = "example"
  availability_zone                   = data.aws_availability_zones.available.names[0]
  database_name                       = "mydb"
  node_type                           = "dc2.large"
  automated_snapshot_retention_period = 0
  allow_version_upgrade               = false
  skip_final_snapshot                 = true
  publicly_accessible                 = true  (1)

}
1 Ensure the publicly_accessible attribute specified and false.
The default value is True when none is specified.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "RedshiftCluster": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "DBName": "mydb",
        "MasterUsername": "master",
        "MasterUserPassword": "MasterUserPassword",
        "NodeType": "ds2.xlarge",
        "ClusterType": "single-node",
        "Encrypted": true,
        "PubliclyAccessible": false (1)
      }
    }
  }
}
1 PubliclyAccessible set to false means Redshift Cluster is not publicly accessible. 
Resources:
  RedshiftCluster:
    Type: "AWS::Redshift::Cluster"
    Properties:
      DBName: "mydb"
      MasterUsername: "master"
      MasterUserPassword: "MasterUserPassword"
      NodeType: "ds2.xlarge"
      ClusterType: "single-node"
      Encrypted: true
      PubliclyAccessible": false (1)
1 PubliclyAccessible set to false means Redshift Cluster is not publicly accessible.

Terraform

resource "aws_redshift_cluster" {
  cluster_identifier                  = "example"
  availability_zone                   = data.aws_availability_zones.available.names[0]
  database_name                       = "mydb"
  node_type                           = "dc2.large"
  automated_snapshot_retention_period = 0
  allow_version_upgrade               = false
  skip_final_snapshot                 = true
  publicly_accessible                 = false  (1)
}
1 Ensure the publicly_accessible attribute is not set to True.

Runtime

AWS Console

To modify the public access to the cluster go to the Amazon AWS Console:

  • In the navigation pane, choose Redshift.

  • Select the cluster name.

  • Click Cluster and then select Modify.

  • Ensure the value for Publicly Accessible is set to No.