Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Redshift Cluster Publicly Accessible

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: RS-001

Ensure Redshift clusters are not publicly accessible to minimise security risks.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When your Amazon Redshift clusters are publicly accessible and have a public IP address, every machine on the Internet can establish a connection to your clusters and this can increase the opportunity for malicious activity such as SQL injections or Distributed Denial of Service (DDoS) attacks.


Audit

To determine if your AWS Redshift clusters can be accessed from a public network, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.

03 In the left navigation panel, under Redshift Dashboard, click Clusters.

04 Choose the Redshift cluster that you want to examine then click on its identifier (name):

Choose the Redshift cluster that you want to examine then click on its identifier (name) listed in the Cluster column

listed in the Cluster column.

05 On the selected cluster configuration page, in the Cluster Database Properties section, verify the Publicly Accessible property status:

On the selected cluster configuration page, in the Cluster Database Properties section, verify the Publicly Accessible property status

If the current status is set to Yes, the selected Redshift cluster is publicly accessible from the Internet and widely exposed to security threats.

06 Repeat step no. 4 and 5 to verify the public access status for other Redshift clusters provisioned in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-clusters command (OSX/Linux/UNIX) using custom query filters to list the identifiers (names) of all Redshift clusters currently available in the selected region:

aws redshift describe-clusters
	--region us-east-1
	--output table
	--query 'Clusters[*].ClusterIdentifier'

02 The command output should return a table with the requested cluster names:

----------------------
|  DescribeClusters  |
+--------------------+
|  cc-cluster        |
|  cc-cluster-dev    |
|  cc-cluster-test   |
+--------------------+

03 Run describe-clusters command (OSX/Linux/UNIX) using the name of the cluster that you want to examine as identifier and appropriate filtering to reveal the public access status for the selected Redshift cluster:

aws redshift describe-clusters
	--region us-east-1
	--cluster-identifier cc-cluster
	--query 'Clusters[*].PubliclyAccessible'

04 The command output should return the access configuration status (true for enabled and false for disabled):

[
    true
]

If the returned value is true, the selected Redshift cluster can be accessed from a public network, therefore is exposed to security threats.

05 Repeat step no. 3 and 4 for each Redshift cluster available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To modify your Amazon Redshift clusters configuration in order to disable public traffic so these can be privately accessible only from within your VPC, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.

03 In the left navigation panel, under Redshift Dashboard, click Clusters.

04 Choose the Redshift cluster that you want to modify then click on its identifier:

Cluster column

listed in the Cluster column.

05 On the selected cluster configuration page, click the Cluster dropdown button from the dashboard top menu then click Modify.

06 Within Modify Cluster dialog box, select No next to Publicly Accessible to disable unrestricted (public) access to the selected AWS Redshift cluster.

07 Click the Modify button to apply the changes. The Publicly Accessible property status should change to No.

08 Repeat steps no. 4 - 7 to disable public access for other Redshift clusters provisioned in the current region.

09 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run modify-cluster command (OSX/Linux/UNIX) using the name of the cluster that you want to modify as identifier (see Audit section part II, step no. 2) to disable public access to the selected Amazon Redshift cluster:

aws redshift modify-cluster
	--region us-east-1
	--cluster-identifier cc-cluster
	--no-publicly-accessible

02 The command output should return the Redshift cluster new configuration metadata:

{
    "Cluster": {
        "PubliclyAccessible": false,
        "MasterUsername": "cloudconformity",
        "ClusterVersion": "1.0",
        "Tags": [],
        "AutomatedSnapshotRetentionPeriod": 1,
        ...
        "AllowVersionUpgrade": true,
        "ClusterIdentifier": "cc-cluster",
        "AvailabilityZone": "us-east-1a",
        "NodeType": "dc1.large",
        "Encrypted": false,
        "ClusterStatus": "available"
    }
}

03 Repeat step no. 1 and 2 for other Redshift clusters that are publicly accessible, available in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 for other regions.

References

Publication date Sep 16, 2016