Ensure AWS Redshift clusters are not publicly accessible

AWS Redshift clusters should not be defined with public interface. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.

Suggest Edits

Risk Level: Critical
Cloud Entity: Amazon Redshift
CloudGuard Rule ID: D9.AWS.NET.51
Covered by Spectral: Yes
Category: Database

GSL LOGIC

Redshift should not have isPublic=true

REMEDIATION

From Portal

  1. Sign in to the AWS console.
  2. In the console, select the specific region.
  3. Navigate to the 'Redshift' service.
  4. Click the identified Redshift cluster name.
  5. In the top menu options, click 'Cluster' and choose 'Actions' as the option.
  6. Click on 'Modify Publicly accessible setting' option.
  7. Choose 'enable' option and click 'save changes'.

From TF

resource "aws_redshift_cluster" "test" {
	cluster_identifier = "tf-redshift-cluster"
	database_name      = "mydb"
	master_username    = "foo"
	master_password    = "Mustbe8characters"
	node_type          = "dc1.large"
	cluster_type       = "single-node"
	+ publicly_accessible = false
}

From Command Line
To Disbale 'Publicly-accessible' Run:

aws redshift modify-cluster --region us-east-1 --cluster-identifier redshift-cluster-1 --no-publicly-accessible

References

  1. https://aws.amazon.com/premiumsupport/knowledge-center/redshift-cluster-private-public/

Amazon Redshift

Amazon Redshift is a fast, fully managed data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and your existing Business Intelligence (BI) tools. It allows you to run complex analytic queries against petabytes of structured data, using sophisticated query optimization, columnar storage on high-performance local disks, and massively parallel query execution. Most results come back in seconds. With Amazon Redshift, you can start small for just $0.25 per hour with no commitments and scale out to petabytes of data for $1,000 per terabyte per year, less than a tenth the cost of traditional solutions.

Compliance Frameworks

  • AWS CCPA Framework
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset

Updated 7 months ago