Description:

Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. It enables you to use your data to acquire new insights for your business and customers. Launch a set of nodes to create a data warehouse is the first step, this set of nodes is called the Amazon Redshift cluster. This amazon service makes it simple and cost-effective to efficiently analyze all your data using your existing business intelligence tools. This should not be accessible publicly as this may cause security concerns. 


Rationale:

It is recommended that Redshift Cluster should not be publicly accessible to other services and resources in AWS. Public Redshift Cluster means that unauthorized actors could your data which can lead to misuse of the data.


Impact:

If Redshift clusters are not publicly accessible and no public IP address, then over the internet no one can establish a connection to your cluster and it can be reduced the opportunity for malicious activity such as SQL injections or DDoS attacks.


Default Value:

When you go to the Redshift console first time by default no cluster created.

When you create the first cluster by default Cluster identifier is redshift-cluster-1

In Free Trail 

Calculated configuration summary see in the picture

dc2.large | 1 node (Node - collection of computing resources)
(High performance with fixed local SSD storage)

In Database configuration 

by name of the database is dev you can edit it and the Database port is 5439

Node size

vCPU

RAM (GiB)

Default slices per node

Storage per node

Node range

Total capacity

dc2.large

2

15

2

160 GB NVMe-SSD

1–32

5.12 TB

dc2.8xlarge

32

244

16

2.56 TB NVMe-SSD

2–128

326 TB

dc1.large1

2

15

2

160 GB SSD

1–32

5.12 TB

dc1.8xlarge1

32

244

32

2.56 TB SSD

2–128

326 TB

by default it generates parameter group default.redshift-1.0 with no database encryption.

Automatically it takes the default value of network default VPC and default subnet in security it takes default security group. You can change it manually

default values for the redshift-1.0 parameter group family are:

Parameter name

Value

More information

auto_analyze

true

auto_analyze

 in the Amazon Redshift Database Developer Guide

datestyle

ISO, MDY

datestyle

 in the Amazon Redshift Database Developer Guide

enable_case_sensitive_identifier

false

enable_case_sensitive_identifier

 in the Amazon Redshift Database Developer Guide

enable_user_activity_logging

false

Database audit logging

 in this guide

extra_float_digits

0

extra_float_digits

 in the Amazon Redshift Database Developer Guide

max_concurrency_scaling_clusters

1

max_concurrency_scaling_clusters

 in the Amazon Redshift Database Developer Guide

query_group

default

query_group

 in the Amazon Redshift Database Developer Guide

require_ssl

false

Configuring security options for connections

 in this guide

search_path

$user, public

search_path

 in the Amazon Redshift Database Developer Guide

statement_timeout

0

statement_timeout

 in the Amazon Redshift Database Developer Guide

wlm_json_configuration

[{"auto_wlm":true}]

Configuring workload management

 in this guide

use_fips_ssl

false

Enable FIPS-compliant SSL mode only if your system is required to be FIPS-compliant.

Audit:

Step 1: Login to the AWS management console and navigate to the Redshift dashboard at https://console.aws.amazon.com/redshift/.

Step 2: Click on Clusters in the left navigation panel under Redshift Dashboard

Step 3: Select the Redshift cluster that you want to audit 

Step 4:  Click on Properties scroll down in Network and security settings panel you see public access is enabled or disabled 

If in case it is enabled then follow the implementation steps. You can also check for all other clusters if you created multiple clusters.


Via CLI Command:

Step 1: Below command gives the list of the identifiers of all Redshift clusters in the selected region

aws redshift describe-clusters --region us-east-1 --output table --query 'Clusters[*].ClusterIdentifier'


Step 2: Select the cluster that you audit

aws redshift describe-clusters --region ap-south-1 --cluster-identifier redshift-cluster-1 --query 'Clusters[*].PubliclyAccessible'


if publicly accessible is enable it gives true if it is disabled it gives false.


Remediation:

Implementation Steps:

Follow the steps to disable the publicly accessible in Redshift cluster

Step 1: Login to the AWS management console and navigate to the Redshift dashboard at https://console.aws.amazon.com/redshift/.

Step 2: Click on Clusters in the left navigation panel under Redshift Dashboard

Step 3: Select any one cluster to modify


Step 4: Click on the Properties tab

Step 5: Scroll down and go to Network and security settings and click on Edit publicly accessible button if it is enabled

or 

Step 4: you can click on Action button and


Step 5: click on Modify publicly accessible setting

Step 6: Select disable option and click on Save changes button



Backout Plan:

Above Implementation Steps for Modifying a Cluster. If you cannot connect to the cluster from the internet or a different network, check the following settings:

Security group

→ Choose the link next to VPC security groups to open the Amazon Elastic compute Cloud (Amazon EC2) console

→ On the Inbound Rules tab, be sure that your IP address and port of your Amazon Redshift cluster are allowed. 

Notes: Although security groups are stateful, it’s a best practice to be sure that the Outbound Rules allow outbound communications. By default, a security group includes an outbound rules that allows all outbound traffic. For more information, see Security Group Basics.

VPC network access control list(network ACL)

→ Unlike security groups, netowrk ACLs are stateless. This means that you must configure both inbound and outbound rules. Be sure that your IP address and the port of your Amazon Redshift cluster are allowed in the inbound rules for the VPC network ACL. In the outbound rules, allow all traffic ( port range:0-65535) to your IP address. For more information , see Adding an Deleting Rules.

VPC route table

→ Verify route table settings on the Amazon VPC console.

→ If you don’t want to make the subnet publicly accessible because of other resources that are in that subnet, use a snapshot to retore the cluster into public subnet.


References:

  1. Amazon Redshift clusters - Amazon Redshift 

  2. What is Amazon Redshift? - Amazon Redshift 

  3. Amazon Redshift parameter groups - Amazon Redshift 

  4. https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#modify-cluster