Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Redshift Cluster Default Port

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: RS-017

Ensure that your AWS Redshift database clusters are not using their default endpoint port (i.e. 5439) in order to promote port obfuscation as an additional layer of defense against non-targeted attacks.
Changing the default port number for Redshift database clusters represents a basic security measure and does not completely secure the clusters from port scanning and network attacks. To implement advanced Redshift database security, you should look into security measures such as restricting public access, controlling clusters access through security groups and Network Access Control Lists (NACLs) and encrypting the client connections to the database clusters using SSL.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Running your Redshift database clusters on the default port represent a potential security concern. Replacing the default port number (5439) with a custom one will add an extra layer of security, protecting your publicly accessible Amazon Redshift clusters from brute-force and dictionary attacks.


Audit

To determine if your existing Redshift database clusters are using their default port (i.e. port on which the Redshift databases accept connections), perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.

03 In the left navigation panel, under Redshift Dashboard, click Clusters.

04 Choose the Redshift cluster that you want to examine then click on its identifier/name link, listed in the Cluster column.

05 On the selected cluster configuration page, in the Cluster Database Properties section, verify the Port attribute value. If the database port number is set to 5439, the selected Amazon Redshift cluster is not using a non-default port for database access, therefore is vulnerable to brute-force and dictionary attacks. To change your Redshift database cluster endpoint port follow the steps outlined in the Remediation/Resolution section.

06 Repeat step no. 4 and 5 to verify the port number for other Redshift database clusters provisioned in the current region.

07 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-clusters command (OSX/Linux/UNIX) using custom query filters to list the identifiers (names) of all Redshift clusters available in the selected region:

aws redshift describe-clusters
	--region us-east-1
	--output table
	--query 'Clusters[*].ClusterIdentifier'

02 The command output should return a table with the requested database cluster names:

------------------------
|   DescribeClusters   |
+----------------------+
| cc-redshift-cluster  |
| project5-db-cluster  |
+----------------------+

03 Run again describe-clusters command (OSX/Linux/UNIX) using the name of cluster that you want to examine as identifier and custom query filters to expose the endpoint port number used by the selected AWS Redshift database cluster:

aws redshift describe-clusters
	--region us-east-1
	--cluster-identifier cc-redshift-cluster
	--query 'Clusters[*].Endpoint.Port'

04 The command output should return the requested port number:

[
    5439
]

If the command output returns the default port number, i.e. 5439, the selected Amazon Redshift cluster is not using a non-default port for database access, therefore is vulnerable to brute-force and dictionary attacks.

05 Repeat step no. 3 and 4 to check the database port number for other AWS Redshift clusters provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To change the default port number for your existing Amazon Redshift database clusters, perform the following steps:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.

03 In the left navigation panel, under Redshift Dashboard, click Clusters.

04 Select the Redshift cluster that you want to reconfigure then click on its identifier link, listed in the Cluster column.

05 Click the Backup dropdown button from the dashboard top menu and select Take Snapshot.

06 On the Create Snapshot dialog box, enter a unique name for your database cluster snapshot in the Snapshot Identifier box then click Create to build the snapshot. The process could take several minutes. Once the snapshot is created it will appear on your Redshift Snapshots page.

07 In the navigation panel, under Redshift Dashboard, click Snapshots.

08 Select the Amazon Redshift cluster snapshot created at step no. 6.

09 Click the Actions dropdown button from the dashboard top menu and select Restore From Snapshot.

10 Within Restore Cluster From Snapshot dialog box, perform the following actions:

  1. In the Cluster Identifier box, enter a unique name for the new (reconfigured) Redshift cluster.
  2. Change the default database port number available inside the Port box with a custom port number.
  3. Configure the rest of the options (Node Type, Cluster Parameter Group, Availability Zone, VPC Security Groups, etc) based on the configuration information taken from the existing database cluster.
  4. Click Restore to create the new Redshift database cluster.

11 As soon as the build process is complete, update your application configuration to refer to the new cluster endpoint, e.g. cc-redshift-cluster-v2.dyupsgvyjhfo.us-east-1.redshift.amazonaws.com.

12 Once the Redshift cluster endpoint is changed within your application configuration, it’s safe to remove the source (old) Redshift cluster from your AWS account by performing the following actions:

  1. In the navigation panel, under Redshift Dashboard, click Clusters.
  2. Choose the Redshift cluster that you want to remove then click on its identifier link listed in the Cluster column.
  3. On the selected cluster Configuration tab, click the Cluster dropdown button from the dashboard main menu then select Delete.
  4. Inside the Delete Cluster dialog box, enter a unique name for the final snapshot in the Snapshot name box then click Delete to confirm the action. Once the snapshot is created, the removal process for the selected cluster begins.

13 Repeat steps no. 4 - 12 to change the database endpoint port for other AWS Redshift clusters provisioned in the current region.

14 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-clusters command (OSX/Linux/UNIX) to describe the configuration information for the Amazon Redshift cluster that you want to reconfigure (see Audit section part II to identify the right cluster):

aws redshift describe-clusters
	--region us-east-1
	--cluster-identifier cc-redshift-cluster

02 The command output should return the requested configuration information which will be useful later when the new Redshift cluster will be launched:

{
    "Clusters": [
        {
            "PubliclyAccessible": true,
            "MasterUsername": "ccclusterusr",
            "VpcSecurityGroups": [
                {
                    "Status": "active",
                    "VpcSecurityGroupId": "sg-541e2e7b"
                }
            ],
            "ClusterPublicKey": "ssh-rsa AAAAB3NzaC ... ",
            "NumberOfNodes": 1,
            "PendingModifiedValues": {},
            "VpcId": "vpc-d731653f",
            "ClusterVersion": "1.0",
            "Tags": [],
            "AutomatedSnapshotRetentionPeriod": 1,
            "ClusterParameterGroups": [
                {
                    "ParameterGroupName": "default.redshift-1.0",
                    "ParameterApplyStatus": "in-sync"
                }
            ],
            "DBName": "ccclusterdb",
            "PreferredMaintenanceWindow": "fri:03:00-fri:03:30",
            "Endpoint": {
                "Port": 5439,
                "Address": "cc-redshift-cluster.cmfpsgvyjhfo ... "
            },
            "IamRoles": [],
            "AllowVersionUpgrade": true,
            "ClusterCreateTime": "2017-01-12T17:44:12.654Z",
            "ClusterSubnetGroupName": "default",
            "ClusterSecurityGroups": [],
            "ClusterIdentifier": "cc-redshift-cluster",
            "ClusterNodes": [
                {
                    "NodeRole": "SHARED",
                    "PrivateIPAddress": "172.31.43.56",
                    "PublicIPAddress": "52.3.14.122"
                }
            ],
            "AvailabilityZone": "us-east-1a",
            "NodeType": "ds2.xlarge",
            "Encrypted": false,
            "ClusterRevisionNumber": "1106",
            "ClusterStatus": "available"
        }
    ]
}

03 Run create-cluster-snapshot command (OSX/Linux/UNIX) to create a manual snapshot of the existing Redshift database cluster:

aws redshift create-cluster-snapshot
	--region us-east-1
	--cluster-identifier cc-redshift-cluster
	--snapshot-identifier cc-redshift-cluster-v2-snapshot

04 The command output should return the Redshift snapshot configuration metadata:

{
    "Snapshot": {
        "EstimatedSecondsToCompletion": -1,
        "OwnerAccount": "123456789012",
        "CurrentBackupRateInMegaBytesPerSecond": 0.0,
        "ActualIncrementalBackupSizeInMegaBytes": -1.0,
        "NumberOfNodes": 1,
        "Status": "creating",
        "VpcId": "vpc-d731653f",
        "ClusterVersion": "1.0",
        "MasterUsername": "ccclusterusr",
        "TotalBackupSizeInMegaBytes": -1.0,
        "DBName": "ccclusterdb",
        "BackupProgressInMegaBytes": 0.0,
        "ClusterCreateTime": "2017-01-12T17:44:12.654Z",
        "EncryptedWithHSM": false,
        "ClusterIdentifier": "cc-cluster",
        "SnapshotCreateTime": "2017-08-18T18:15:49.041Z",
        "AvailabilityZone": "us-east-1a",
        "NodeType": "ds2.xlarge",
        "Encrypted": false,
        "ElapsedTimeInSeconds": 0,
        "SnapshotType": "manual",
        "Port": 5439,
        "SnapshotIdentifier": "cc-redshift-cluster-v2-snapshot"
    }
}

05 Run restore-from-cluster-snapshot command (OSX/Linux/UNIX) to create a new Amazon Redshift cluster from the snapshot created at step no. 3, using the configuration information returned at step no. 2 and a different number (e.g. 5640) for the database endpoint port (the chosen port number must be between 1115 and 65535):

aws redshift restore-from-cluster-snapshot
	--region us-east-1
	--cluster-identifier cc-redshift-cluster-v2
	--snapshot-identifier cc-redshift-cluster-v2-snapshot
	--node-type ds2.xlarge
	--vpc-security-group-ids sg-541e2e7b
	--cluster-subnet-group-name default
	--availability-zone us-east-1a
	--cluster-parameter-group-name default.redshift-1.0
	--publicly-accessible
	--port 5640

06 The command output should return the metadata of the new Redshift cluster:

{
    "Cluster": {
        "IamRoles": [],
        "ClusterVersion": "1.0",
        "NumberOfNodes": 1,
        "VpcId": "vpc-d731653f",
        "NodeType": "ds2.xlarge",

	   ...

        "ClusterStatus": "creating",
        "ClusterIdentifier": "cc-redshift-cluster-v2",
        "DBName": "ccclusterdb",
        "PreferredMaintenanceWindow": "fri:03:00-fri:03:30",
        "PendingModifiedValues": {}
    }
}

07 Run describe-clusters command (OSX/Linux/UNIX) using the appropriate query filters to expose the new Redshift database cluster endpoint:

aws redshift describe-clusters
	--region us-east-1
	--cluster-identifier cc-redshift-cluster-v2
	--query 'Clusters[*].Endpoint.Address'

08 The command output should return the requested endpoint URL:

[
   "cc-redshift-cluster-v2.dyupsgvyjhfo.us-east-1.redshift.amazonaws.com"
]

09 As soon as the build process is complete, update your application configuration to point to the AWS Redshift database cluster endpoint address returned at step no. 8.

10 Once the Redshift cluster endpoint is changed within your application configuration, you can execute delete-cluster command (OSX/Linux/UNIX) to remove the source cluster from your AWS account:

aws redshift delete-cluster
	--region us-east-1
	--cluster-identifier cc-redshift-cluster
	--final-cluster-snapshot-identifier cc-redshift-cluster-final-snapshot

11 The command output should return the metadata of the Redshift cluster selected for deletion:

{
    "Cluster": {
        "PubliclyAccessible": true,
        "MasterUsername": "ccclusteruser",
        "PendingModifiedValues": {},
        "VpcId": "vpc-d731653f ",
        "ClusterVersion": "1.0",
        "AutomatedSnapshotRetentionPeriod": 1,

	   ...

        "ClusterSubnetGroupName": "default",
        "ClusterSecurityGroups": [],
        "ClusterIdentifier": "cc-redshift-cluster",
        "AvailabilityZone": "us-east-1a",
        "NodeType": "ds2.xlarge",
        "Encrypted": false,
        "ClusterStatus": "final-snapshot"
    }
}

12 Repeat steps no. 1 – 11 to change the database endpoint port for other AWS Redshift clusters available in the current region.

13 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 12 to perform the entire process for other regions.

References

Publication date Nov 9, 2018