Description

Redshift is a fast, fully managed, petabyte-scale data warehouse service that makes it simple and cost-effective to efficiently analyze all your data using your existing business intelligence tools. This should not be accessible publicly as this may cause security concerns.


Rationale:  

It is recommended that Redshift Cluster should not be publicly accessible to other services and resources in AWS. Public Redshift Cluster means that unauthorized actors could access your data which can lead to misuse of the data.


Remediation: 

Follow the steps for Modifying a Cluster. In the Modify Cluster window, change Publicly accessible to No. If you still can't connect to the cluster from the internet or a different network, check the following settings.


Security group

  •   Open the Amazon Redshift console, and then choose the cluster to modify.
  •   Choose the link next to VPC security groups to open the Amazon Elastic Compute Cloud (Amazon EC2) console.
  •   On the Inbound Rules tab, be sure that your IP address and the port of your Amazon Redshift cluster are allowed. The default port for Amazon Redshift is 5439, but your port might be different.

Note: Although security groups are stateful, it’s a best practice to be sure that the Outbound Rules allow outbound communications. By default, a security group includes an outbound rule that allows all outbound traffic. For more information, see Security Group Basics.


VPC network access control list (network ACL)

  • Unlike security groups, network ACLs are stateless. This means that you must configure both inbound and outbound rules. Be sure that your IP address and the port of your Amazon Redshift cluster are allowed in the inbound rules for the VPC network ACL. In the outbound rules, allow all traffic (port range: 0–65535) to your IP address. For more information, see Adding and Deleting Rules.


VPC route table

  • Verify route table settings on the Amazon VPC console.
  • If you don’t want to make the subnet publicly accessible because of other resources that are in that subnet, use a snapshot to restore the cluster into a public subnet.


Reference: 

    https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#modify-cluster