Redshift Cluster Non-Default Database Name
Overview
This check verifies that Amazon Redshift clusters use a custom database name instead of the default value "dev". Using a unique, non-default database name is a simple security hardening measure that reduces the predictability of your database configuration.
Risk
Using the default "dev" database name creates security concerns:
- Easier targeting: Attackers often attempt connections using common default names like "dev", "test", or "default"
- Enumeration attacks: Default names make it simpler for attackers to guess database configurations
- Misconfiguration risk: IAM policies or network rules using generic names may unintentionally match your database
- Security through obscurity: While not a primary defense, unique names add a small additional barrier
Severity: Low - This is a defense-in-depth measure rather than a critical vulnerability.
Remediation Steps
Prerequisites
- AWS account access with permissions to create or modify Redshift clusters
- If migrating an existing cluster: plan for data migration and application connection string updates
Important: The database name cannot be changed after a cluster is created. If your existing cluster uses the default name, you must create a new cluster with a custom name and migrate your data.
AWS Console Method
For new clusters:
- Open the Amazon Redshift console
- Click Create cluster
- In the Database configurations section, find the Database name field
- Replace the default value "dev" with a custom name (e.g.,
analytics_db,sales_warehouse) - Complete the remaining configuration and click Create cluster
For existing clusters using the default name:
Since database names cannot be modified after creation, you need to migrate to a new cluster:
- Create a new cluster with a custom database name (follow the steps above)
- Use the Redshift data sharing feature or
UNLOAD/COPYcommands to migrate your data - Update application connection strings to point to the new cluster
- After verifying the migration, delete the old cluster
AWS CLI (optional)
Check current cluster database names:
aws redshift describe-clusters \
--region us-east-1 \
--query 'Clusters[*].[ClusterIdentifier,DBName]' \
--output table
Create a new cluster with a custom database name:
aws redshift create-cluster \
--region us-east-1 \
--cluster-identifier my-redshift-cluster \
--db-name analytics_warehouse \
--node-type dc2.large \
--cluster-type multi-node \
--number-of-nodes 2 \
--master-username admin \
--manage-master-password \
--cluster-subnet-group-name my-subnet-group \
--encrypted \
--no-publicly-accessible
Replace the following placeholders:
my-redshift-cluster- Your unique cluster identifieranalytics_warehouse- Your custom database name (avoid "dev", "test", "default")my-subnet-group- Your existing cluster subnet group name
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: Amazon Redshift cluster with non-default database name
Parameters:
ClusterIdentifier:
Type: String
Description: Unique identifier for the Redshift cluster
DatabaseName:
Type: String
Description: Custom database name (avoid 'dev' or other default names)
Default: analytics_warehouse
MasterUsername:
Type: String
Description: Master username for the cluster
NodeType:
Type: String
Description: Node type for the cluster
Default: dc2.large
NumberOfNodes:
Type: Number
Description: Number of compute nodes
Default: 2
SubnetGroupName:
Type: String
Description: Name of the cluster subnet group
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterIdentifier: !Ref ClusterIdentifier
DBName: !Ref DatabaseName
MasterUsername: !Ref MasterUsername
ManageMasterPassword: true
NodeType: !Ref NodeType
ClusterType: multi-node
NumberOfNodes: !Ref NumberOfNodes
ClusterSubnetGroupName: !Ref SubnetGroupName
Encrypted: true
PubliclyAccessible: false
Outputs:
ClusterEndpoint:
Description: Redshift cluster endpoint
Value: !GetAtt RedshiftCluster.Endpoint.Address
DatabaseName:
Description: Database name configured for the cluster
Value: !Ref DatabaseName
Deploy the stack:
aws cloudformation create-stack \
--region us-east-1 \
--stack-name redshift-custom-dbname \
--template-body file://template.yaml \
--parameters \
ParameterKey=ClusterIdentifier,ParameterValue=my-redshift-cluster \
ParameterKey=DatabaseName,ParameterValue=analytics_warehouse \
ParameterKey=MasterUsername,ParameterValue=admin \
ParameterKey=SubnetGroupName,ParameterValue=my-subnet-group
Terraform (optional)
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "cluster_identifier" {
description = "Unique identifier for the Redshift cluster"
type = string
}
variable "database_name" {
description = "Custom database name (avoid 'dev' or other default names)"
type = string
default = "analytics_warehouse"
}
variable "master_username" {
description = "Master username for the cluster"
type = string
}
variable "master_password" {
description = "Master password for the cluster"
type = string
sensitive = true
}
variable "node_type" {
description = "Node type for the cluster"
type = string
default = "dc2.large"
}
variable "number_of_nodes" {
description = "Number of compute nodes"
type = number
default = 2
}
variable "subnet_group_name" {
description = "Name of the cluster subnet group"
type = string
}
resource "aws_redshift_cluster" "main" {
cluster_identifier = var.cluster_identifier
database_name = var.database_name
master_username = var.master_username
master_password = var.master_password
node_type = var.node_type
cluster_type = "multi-node"
number_of_nodes = var.number_of_nodes
cluster_subnet_group_name = var.subnet_group_name
encrypted = true
publicly_accessible = false
skip_final_snapshot = false
final_snapshot_identifier = "${var.cluster_identifier}-final-snapshot"
}
output "cluster_endpoint" {
description = "Redshift cluster endpoint"
value = aws_redshift_cluster.main.endpoint
}
output "database_name" {
description = "Database name configured for the cluster"
value = aws_redshift_cluster.main.database_name
}
Apply the configuration:
terraform init
terraform plan -var="cluster_identifier=my-redshift-cluster" \
-var="master_username=admin" \
-var="master_password=YourSecurePassword123!" \
-var="subnet_group_name=my-subnet-group"
terraform apply
Verification
In the AWS Console:
- Go to the Amazon Redshift console
- Click on your cluster
- In the General information section, verify the Database name is not "dev"
CLI verification
# List all clusters and their database names
aws redshift describe-clusters \
--region us-east-1 \
--query 'Clusters[*].[ClusterIdentifier,DBName]' \
--output table
# Check a specific cluster
aws redshift describe-clusters \
--region us-east-1 \
--cluster-identifier my-redshift-cluster \
--query 'Clusters[0].DBName' \
--output text
The output should show your custom database name, not "dev".
Re-run the Prowler check:
prowler aws --checks redshift_cluster_non_default_database_name
Additional Resources
- Amazon Redshift Getting Started Guide
- Amazon Redshift Cluster Management Guide
- Amazon Redshift Security Best Practices
- Prowler Check Documentation
Notes
- Database name is immutable: Once a Redshift cluster is created, the database name cannot be changed. Plan accordingly.
- Naming conventions: Establish a naming standard for your organization. Use descriptive names like
sales_analytics,customer_data_warehouse, orreporting_dbrather than generic terms. - Application updates: When migrating to a new cluster, remember to update all application connection strings, ETL jobs, and BI tool configurations.
- Compliance frameworks: This check is mapped to the CCC (Cloud Computing Compliance) framework.