Ensure Amazon Redshift clusters are not publicly accessible

Error: AWS Redshift clusters should not be publicly accessible

Bridgecrew Policy ID: BC_AWS_PUBLIC_9
Checkov Check ID: CKV_AWS_87
Severity: HIGH

AWS Redshift clusters should not be publicly accessible

Description

Redshift clusters deployed within a VPC can be accessed from: the Internet, EC2 Instances outside the VPC via VPN, bastion hosts that you can launch in your public subnet, and using Amazon Redshift’s Publicly Accessible option. To use public connectivity, create your Redshift clusters with the Publicly Accessible option set to Yes, your Redshift clusters within a VPC will be fully accessible outside your VPC. If you do not want your Redshift clusters accessible from the Internet or outside your VPC, disable the Redshift Publicly Accessible option. If your AWS account allows you to create EC2-Classic clusters, the default option for Publicly Accessible is No.

Public access to a Redshift cluster can increase the opportunity for malicious activity such as SQL injections or Distributed Denial of Service (DDoS) attacks.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Navigate to the Redshift service.
  3. Click on the identified Redshift cluster name.
  4. In the menu options, click Cluster, then select Modify.
  5. Ensure the value for Publicly Accessible is set to No.

Fix - Buildtime

Terraform

  • Resource: aws_redshift_cluster
  • Argument: publicly_accessible
resource "aws_redshift_cluster" "default" {
  cluster_identifier = "tf-redshift-cluster"
  ...
- publicly_accessible= "true"
+ publicly_accessible= "false"  
}

CloudFormation

  • Resource: AWS::Redshift::Cluster
  • Argument: Properties.PubliclyAccessible
Type: "AWS::Redshift::Cluster"
    Properties:
      ...
-     PubliclyAccessible: true
+			PubliclyAccessible: false