iCompaas Support

Profile Applicability:

• Level 1

Description:

When creating an Amazon Redshift cluster, a default admin user with the username awsuser is often created. Using this default admin username in production environments increases the risk of unauthorized access, as it is a well-known username that can be targeted by attackers. To enhance security, it is recommended that the default admin username (awsuser) be changed to a more secure and unique value.

This SOP ensures that Amazon Redshift clusters are not using the default admin username, thereby reducing the risk of unauthorized access and adhering to security best practices.

Rationale:

• Security: The default admin username (awsuser) is a predictable target for attackers. Changing it to a unique name significantly enhances the security of your Redshift cluster.

• Compliance: Many compliance standards (e.g., SOC 2, HIPAA, PCI-DSS) require the use of custom usernames and strong authentication methods to safeguard sensitive data.

• Operational Security Best Practices: Using unique usernames and avoiding default configurations helps prevent attacks that target known credentials and ensures better governance over access control.

Impact:

Pros:

• Increased Security: Reduces the risk of unauthorized access by eliminating the default admin user, which is commonly targeted.

• Compliance: Helps meet security requirements for compliance frameworks that demand stricter user authentication and management practices.

• Best Practices: Enforces better governance of administrative access to the cluster by using unique usernames.

Cons:

• Admin Configuration Complexity: Changing the default admin username may require reconfiguration of applications or users that rely on the awsuser account.

• Management Overhead: Managing custom usernames requires additional administrative efforts to ensure proper access controls are in place.

Default Value:

By default, Amazon Redshift clusters created via the AWS Management Console use awsuser as the admin username. If this default username is not modified during the cluster creation process, it will remain in place.

Pre-requisite:

• AWS IAM Permissions:

  • redshift:DescribeClusters

  • redshift:ModifyCluster

  • redshift:CreateCluster

  • redshift:ModifyClusterIamRoles

• AWS CLI installed and configured.

• Custom admin username for the cluster should be created before modifying the cluster configuration.

• Redshift Cluster must be accessible and active.

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon Redshift under Services.

3. In the Redshift Dashboard, select the cluster you want to check.

4. Under the Cluster Properties, check the Admin Username.

   • If the Admin Username is awsuser, it means the cluster is using the default admin username.

   • If the Admin Username is a custom value, the cluster is correctly configured.

5. If the default username awsuser is being used, click Modify Cluster.

6. Update the Admin Username to a custom, secure username.

7. Save the changes and ensure that the new admin username is used.

Using AWS CLI:

To check if the Redshift cluster is using the default admin username, run:

aws redshift describe-clusters --query 'Clusters[*].{ClusterId:ClusterIdentifier,AdminUsername:MasterUsername}'

If the Admin Username is awsuser, you need to change it to a custom username. To do so, run:

aws redshift modify-cluster --cluster-identifier <cluster-id> --master-username <new-admin-username>

To verify the change, run:

aws redshift describe-clusters --cluster-identifier <cluster-id> --query 'Clusters[*].{ClusterId:ClusterIdentifier,AdminUsername:MasterUsername}'

Implementation Steps:

Using AWS Console:

1. Log in to the AWS Management Console and navigate to Amazon Redshift.

2. In the Redshift Dashboard, select the Redshift Cluster that you want to modify.

3. Under Cluster Properties, locate the Admin Username.

4. If the Admin Username is awsuser, click Modify.

5. In the Master Username field, change the username to a secure, custom value.

6. Save the changes. The cluster will undergo a restart process to apply the changes.

7. Verify that the Admin Username is no longer awsuser.

Using AWS CLI:

To modify the Redshift cluster to use a custom admin username, run:

aws redshift modify-cluster --cluster-identifier <cluster-id> --master-username <new-admin-username>

To verify the change, run:

aws redshift describe-clusters --cluster-identifier <cluster-id> --query 'Clusters[*].{ClusterId:ClusterIdentifier,AdminUsername:MasterUsername}'

Backout Plan:

Console Process

1. Go to the Amazon Redshift Console:

   • Open the Amazon Redshift console.

   • Select your cluster from the list.

2. Check Admin Username:

   • In the cluster details, look for the Admin Username under Cluster Properties.

   • If the username is awsuser, it is the default admin username.

CLI Process

Describe the Cluster:

aws redshift describe-clusters --cluster-identifier <cluster-name>

1. Check the Output:

   • Look for the MasterUsername field in the output.

   • If it says awsuser, the cluster is using the default admin username.

Note :

• Admin Access: Ensure that the new admin username is well documented and communicated to relevant stakeholders, especially those managing applications that rely on this admin account.

• Backup: Before making any changes, it’s recommended to take a snapshot of the Redshift cluster to avoid data loss in case of configuration issues.

References:

• Amazon Redshift Documentation: Cluster Modifications

• AWS CLI: modify-cluster

• AWS CLI: describe-clusters

CIS Controls Mapping: