Profile Applicability:

  • Level 1

Description:

In Amazon Redshift, the default database name is dev, which is automatically created when a new cluster is set up. Using the default database name in production environments can present security risks, as it is easier for attackers to target common resources, especially when no custom naming conventions are used. For better security, it is recommended to use a unique database name when creating or modifying a Redshift cluster.

This SOP ensures that no Amazon Redshift clusters are using the default database name (dev) and that each cluster has a properly named database that aligns with security best practices.

Rationale:

  • Security: The use of a default database name (dev) could make your Redshift cluster a target for attackers because it is a known and predictable name. Custom database names reduce the risk of such attacks.

  • Best Practices: Customizing the database name ensures better organizational practices and avoids relying on default configurations.

  • Compliance: In many regulatory frameworks (e.g., PCI-DSSSOC 2), the use of predictable names like dev can be flagged as non-compliant.

  • Operational Clarity: Having custom database names provides clear context for the purpose of each database, aiding in the management and organization of data.

Impact:

Pros:

  • Improved Security: Avoids the use of default database names that are commonly targeted by attackers.

  • Better Organizational Structure: Custom names help in organizing databases, especially in multi-database environments.

  • Compliance: Meets security and compliance standards that require unique and non-default configurations.

Cons:

  • Additional Configuration: Requires additional time and administrative effort to ensure that all clusters have custom database names.

  • Potential Downtime: Modifying the database name after creation can result in downtime, and changes should be planned carefully.

Default Value:

By default, when a new Amazon Redshift cluster is created, the database name is set to dev. This setting should be modified as part of security and best practice configuration before deployment.

Pre-requisite:

  • AWS IAM Permissions:

    • redshift:DescribeClusters

    • redshift:ModifyCluster

    • redshift:CreateCluster

  • AWS CLI installed and configured.

  • Redshift Cluster should be running and accessible.

  • Custom naming conventions for the database need to be defined.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Redshift under Services.

  3. In the Redshift Dashboard, select the cluster you want to check.

  4. Under the Cluster Properties, check the Database Name.

    • If the Database Name is dev, it means the cluster is using the default database name.

    • If the Database Name is a custom name, the cluster is correctly configured.

  5. If the default name dev is used, click Modify Cluster and change the database name to a custom value.

  6. Save the changes, and verify that the new database name is applied.

Using AWS CLI:

To check if the cluster is using the default database name, run:

aws redshift describe-clusters --query 'Clusters[*].{ClusterId:ClusterIdentifier,DatabaseName:ClusterVersion}'

If the result shows that the database name is dev, you need to modify the cluster to use a custom name. Run:

aws redshift modify-cluster --cluster-identifier <cluster-id> --db-name <new-database-name>

To confirm the change, run:

aws redshift describe-clusters --cluster-identifier <cluster-id> --query 'Clusters[*].{ClusterId:ClusterIdentifier,DatabaseName:ClusterVersion}'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon Redshift.

  2. In the Redshift Dashboard, select the Redshift Cluster you want to configure.

  3. Under Cluster Properties, check the Database Name.

  4. If the Database Name is dev, click Modify Cluster and change it to a unique, custom name.

  5. Ensure the new name is properly applied and Save the changes.

Using AWS CLI:

To change the default database name:

aws redshift modify-cluster --cluster-identifier <cluster-id> --db-name <new-database-name>

To verify the new name:

aws redshift describe-clusters --cluster-identifier <cluster-id> --query 'Clusters[*].{ClusterId:ClusterIdentifier,DatabaseName:ClusterVersion}

Backout Plan:

Console Process

  1. Go to the Amazon Redshift Console:

    • Open the Amazon Redshift console.

    • Select your cluster from the list.

  2. Check Database Name:

    • In the cluster details, look for the Database Name under Cluster Properties.

    • If the name is dev, it is the default database name.

CLI Process

Describe the Cluster:

aws redshift describe-clusters --cluster-identifier <cluster-name>

  1. Check the Output:

    • Look for the DBName field in the output.

    • If it says dev, the cluster is using the default database name.

Note :

  • Testing: It's recommended to test these changes in a staging environment before applying them to production clusters.

  • Naming Convention: Define a standard naming convention for database names in your organization to avoid confusion and ensure consistency.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.