iCompaas Support

Profile Applicability:

• Level 1

Description:

This control ensures that Amazon Redshift clusters are not publicly accessible unless explicitly required. A publicly accessible Redshift cluster can be reached from the internet, increasing the risk of unauthorized access, data exposure, or network attacks. Ensuring clusters are private helps maintain data confidentiality and complies with cloud security best practices.

Rationale:

Redshift clusters are designed for large-scale data analytics and often contain sensitive or business-critical information. When clusters are publicly accessible, they can be targeted by attackers scanning for exposed ports or misconfigurations. By limiting Redshift access to trusted VPCs, subnets, and security groups, organizations can:

• Reduce exposure to internet-based threats.

• Maintain compliance with security frameworks (CIS, SOC 2, ISO 27001).

• Enforce network segmentation and least-privilege principles.

Impact:

• Positive Impact:Reduces exposure of sensitive data to the public internet.Helps prevent unauthorized access and SQL injection attacks.Supports compliance and data protection objectives.
• Negative Impact:Applications or users requiring public access may need VPN, AWS PrivateLink, or bastion host access reconfiguration.

Default Value:

By default, Redshift clusters can be created as publicly accessible if the setting is not explicitly disabled during creation.

Pre-Requisite:

• IAM permissions required:

  • redshift:DescribeClusters

  • redshift:ModifyCluster

• Familiarity with VPC configuration and private subnet architecture.

Remediation

Test Plan

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon Redshift → Clusters.

3. For each cluster, review the Publicly accessible column.

4. Ensure it shows No for all clusters that do not require public access.

5. If any cluster displays Yes, verify whether public access is business-justified.

6. If not justified, proceed to disable public access following the implementation steps.

Implementation Plan

Using AWS Console:

1. Navigate to Amazon Redshift → Clusters.

2. Select the cluster that is publicly accessible.

3. Choose Edit from the cluster actions menu.

4. Under Network and security, locate the Publicly accessible option.

5. Change the setting to No.

6. Review the associated VPC security groups and subnets to ensure proper internal access is configured.

7. Save changes to apply the update.

Backout Plan

Using AWS Console:

1. If access issues occur after disabling public access, revert by:

   • Editing the cluster again in the console.

   • Setting Publicly accessible back to Yes (temporarily).

2. Reconfirm required security configurations before re-enabling.

References:

• Amazon Redshift Security Best Practices

• AWS CLI Command Reference – Redshift

• Amazon VPC Configuration for Redshift