Skip to main content

Redshift Cluster Enhanced VPC Routing

Overview

This check verifies whether Amazon Redshift clusters have Enhanced VPC Routing enabled. When enabled, all traffic between your Redshift cluster and data repositories (like S3) stays within your VPC instead of going over the public internet.

Risk

Without Enhanced VPC Routing, data transfer operations (COPY and UNLOAD commands) can bypass your VPC security controls:

  • Traffic may traverse the public internet, exposing sensitive data
  • VPC Flow Logs cannot capture this traffic, reducing visibility
  • Security groups and network ACLs cannot filter this traffic
  • Data exfiltration becomes harder to detect and prevent

Remediation Steps

Prerequisites

  • Access to the AWS Console with permissions to modify Redshift clusters
  • The Redshift cluster must be in a VPC (not EC2-Classic)

AWS Console Method

  1. Sign in to the AWS Console and go to Amazon Redshift
  2. In the left navigation, click Provisioned clusters dashboard
  3. Select your cluster by clicking its identifier
  4. Click Actions and choose Modify
  5. Scroll to the Network and security section
  6. Toggle Enhanced VPC routing to On
  7. Click Save changes
  8. If prompted, choose whether to apply immediately or during the next maintenance window

Note: Enabling Enhanced VPC Routing requires a brief cluster reboot. Plan accordingly.

AWS CLI (optional)

Enable Enhanced VPC Routing on an existing cluster:

aws redshift modify-cluster \
    --cluster-identifier <your-cluster-identifier> \
    --enhanced-vpc-routing \
    --region us-east-1

To disable Enhanced VPC Routing (not recommended):

aws redshift modify-cluster \
    --cluster-identifier <your-cluster-identifier> \
    --no-enhanced-vpc-routing \
    --region us-east-1

Check the current status:

aws redshift describe-clusters \
    --cluster-identifier <your-cluster-identifier> \
    --query 'Clusters[0].EnhancedVpcRouting' \
    --region us-east-1
CloudFormation (optional)

To create a new Redshift cluster with Enhanced VPC Routing enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: Redshift Cluster with Enhanced VPC Routing

Parameters:
  ClusterIdentifier:
    Type: String
    Description: Identifier for the Redshift cluster

  NodeType:
    Type: String
    Default: dc2.large
    Description: The node type for the cluster

  MasterUsername:
    Type: String
    Description: Master username for the cluster

  MasterUserPassword:
    Type: String
    NoEcho: true
    Description: Master password for the cluster

  DatabaseName:
    Type: String
    Default: mydb
    Description: Name of the default database

  VpcSecurityGroupIds:
    Type: List<AWS::EC2::SecurityGroup::Id>
    Description: Security group IDs for the cluster

  ClusterSubnetGroupName:
    Type: String
    Description: Name of the cluster subnet group

Resources:
  RedshiftCluster:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterIdentifier: !Ref ClusterIdentifier
      NodeType: !Ref NodeType
      MasterUsername: !Ref MasterUsername
      MasterUserPassword: !Ref MasterUserPassword
      DBName: !Ref DatabaseName
      ClusterType: single-node
      VpcSecurityGroupIds: !Ref VpcSecurityGroupIds
      ClusterSubnetGroupName: !Ref ClusterSubnetGroupName
      EnhancedVpcRouting: true
      PubliclyAccessible: false

Outputs:
  ClusterEndpoint:
    Description: Endpoint of the Redshift cluster
    Value: !GetAtt RedshiftCluster.Endpoint.Address

Key property: EnhancedVpcRouting: true

For existing clusters managed by CloudFormation, add or update the EnhancedVpcRouting property and run a stack update.

Terraform (optional)

To create a new Redshift cluster with Enhanced VPC Routing enabled:

resource "aws_redshift_cluster" "main" {
  cluster_identifier = var.cluster_identifier
  database_name      = var.database_name
  master_username    = var.master_username
  master_password    = var.master_password
  node_type          = var.node_type
  cluster_type       = "single-node"

  cluster_subnet_group_name = var.cluster_subnet_group_name
  vpc_security_group_ids    = var.vpc_security_group_ids

  # Enable Enhanced VPC Routing
  enhanced_vpc_routing = true

  # Additional security settings
  publicly_accessible = false
  encrypted           = true

  skip_final_snapshot = true
}

Key attribute: enhanced_vpc_routing = true

For existing clusters, add the enhanced_vpc_routing = true attribute and run terraform apply.

Verification

After enabling Enhanced VPC Routing:

  1. Go to Amazon Redshift in the AWS Console
  2. Click on your cluster identifier
  3. In the General information section, confirm Enhanced VPC routing shows Enabled
CLI Verification
aws redshift describe-clusters \
    --cluster-identifier <your-cluster-identifier> \
    --query 'Clusters[0].{ClusterIdentifier:ClusterIdentifier,EnhancedVpcRouting:EnhancedVpcRouting}' \
    --output table \
    --region us-east-1

Expected output:

-----------------------------------------------
|              DescribeClusters               |
+---------------------+-----------------------+
| ClusterIdentifier   | EnhancedVpcRouting    |
+---------------------+-----------------------+
| my-cluster          | True                  |
+---------------------+-----------------------+

Additional Resources

Notes

  • VPC Endpoints recommended: When using Enhanced VPC Routing, set up VPC endpoints for S3 and other AWS services your cluster accesses. Without endpoints, traffic will route through a NAT gateway (which has costs and bandwidth limits).

  • Cluster reboot required: Enabling Enhanced VPC Routing causes a brief cluster reboot. Schedule changes during maintenance windows for production clusters.

  • Network configuration: Ensure your VPC has proper routing tables and security group rules to allow Redshift to reach required AWS services through VPC endpoints or NAT gateways.

  • COPY/UNLOAD impact: This setting primarily affects COPY and UNLOAD commands that transfer data to/from S3 or other external data sources.