Check if Redshift Clusters Use Non-Default Master Usernames

Overview

This check verifies that Amazon Redshift clusters are not using the default master username awsuser. Using a unique, non-default username is a simple but effective security measure that makes it harder for attackers to guess administrative credentials.

Risk

When you use the default username awsuser, attackers already know half of your login credentials. This makes your cluster vulnerable to:

• Credential guessing attacks: Attackers can focus solely on password cracking since the username is predictable
• Automated attacks: Many attack tools specifically target default usernames
• Data exposure: A compromised admin account can access all data in your data warehouse

Remediation Steps

Prerequisites

You need permission to create or manage Redshift clusters in your AWS account.

Required IAM permissions

Your IAM user or role needs the following permissions:

• redshift:CreateCluster
• redshift:DescribeClusters
• redshift:DeleteCluster (if migrating from an existing cluster)
• secretsmanager:CreateSecret (recommended for credential management)

Important Note

You cannot change the master username on an existing Redshift cluster. If your cluster currently uses awsuser, you must create a new cluster with a different username and migrate your data.

AWS Console Method

For New Clusters

1. Open the Amazon Redshift console
2. Click Create cluster
3. In the Cluster configuration section, enter a Cluster identifier
4. Under Database configurations:
   • For Admin user name, enter a custom username (anything except awsuser)
   • Choose a username that is not easily guessable, such as dw_admin_prod or analytics_master
5. Set your Admin user password or let AWS manage it with Secrets Manager
6. Complete the remaining configuration and click Create cluster

For Existing Clusters Using Default Username

1. Create a snapshot of your existing cluster:
   • In the Redshift console, select your cluster
   • Click Actions > Create snapshot
   • Wait for the snapshot to complete
2. Create a new cluster with a non-default username (follow steps above)
3. Restore your data from the snapshot to the new cluster
4. Update your applications to use the new cluster endpoint and credentials
5. Delete the old cluster once migration is verified

AWS CLI (optional)

Check Current Clusters

List your clusters and their master usernames:

aws redshift describe-clusters \
    --region us-east-1 \
    --query 'Clusters[*].[ClusterIdentifier,MasterUsername]' \
    --output table

Create a New Cluster with Non-Default Username

aws redshift create-cluster \
    --region us-east-1 \
    --cluster-identifier my-secure-cluster \
    --node-type dc2.large \
    --master-username dw_admin_prod \
    --master-user-password '<your-secure-password>' \
    --number-of-nodes 1 \
    --encrypted \
    --no-publicly-accessible

Replace:

• my-secure-cluster with your desired cluster name
• dw_admin_prod with your chosen non-default username
• <your-secure-password> with a strong password

Use AWS Secrets Manager for Password (Recommended)

Let AWS manage the password securely:

aws redshift create-cluster \
    --region us-east-1 \
    --cluster-identifier my-secure-cluster \
    --node-type dc2.large \
    --master-username dw_admin_prod \
    --manage-master-password \
    --number-of-nodes 1 \
    --encrypted \
    --no-publicly-accessible

Create Snapshot of Existing Cluster

aws redshift create-cluster-snapshot \
    --region us-east-1 \
    --cluster-identifier old-cluster \
    --snapshot-identifier migration-snapshot

Restore from Snapshot with New Username

Note: You cannot change the username when restoring. You must export/import data manually or use AWS DMS.

CloudFormation (optional)

This template creates a Redshift cluster with a non-default username and uses AWS Secrets Manager for secure credential storage.

AWSTemplateFormatVersion: '2010-09-09'
Description: Amazon Redshift cluster with non-default master username

Parameters:
  ClusterIdentifier:
    Type: String
    Description: Unique identifier for the Redshift cluster
    Default: my-redshift-cluster

  MasterUsername:
    Type: String
    Description: Master username for the cluster (must not be 'awsuser')
    MinLength: 1
    MaxLength: 128
    AllowedPattern: '^(?!awsuser$)[a-z][a-z0-9_]*$'
    ConstraintDescription: Must start with a lowercase letter, contain only lowercase letters, numbers, and underscores, and must not be 'awsuser'

  NodeType:
    Type: String
    Description: Node type for the cluster
    Default: dc2.large
    AllowedValues:
      - dc2.large
      - dc2.8xlarge
      - ra3.xlplus
      - ra3.4xlarge
      - ra3.16xlarge

  NumberOfNodes:
    Type: Number
    Description: Number of nodes in the cluster
    Default: 1
    MinValue: 1

Conditions:
  IsSingleNode: !Equals [!Ref NumberOfNodes, 1]

Resources:
  RedshiftMasterSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Sub '${ClusterIdentifier}-master-credentials'
      Description: Master credentials for Redshift cluster
      GenerateSecretString:
        SecretStringTemplate: !Sub '{"username": "${MasterUsername}"}'
        GenerateStringKey: password
        PasswordLength: 32
        ExcludeCharacters: '"@/\'

  RedshiftCluster:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterIdentifier: !Ref ClusterIdentifier
      ClusterType: !If [IsSingleNode, 'single-node', 'multi-node']
      NumberOfNodes: !If [IsSingleNode, !Ref 'AWS::NoValue', !Ref NumberOfNodes]
      NodeType: !Ref NodeType
      MasterUsername: !Sub '{{resolve:secretsmanager:${RedshiftMasterSecret}:SecretString:username}}'
      MasterUserPassword: !Sub '{{resolve:secretsmanager:${RedshiftMasterSecret}:SecretString:password}}'
      DBName: mydb
      Encrypted: true
      PubliclyAccessible: false

Outputs:
  ClusterEndpoint:
    Description: Redshift cluster endpoint
    Value: !GetAtt RedshiftCluster.Endpoint.Address

  ClusterPort:
    Description: Redshift cluster port
    Value: !GetAtt RedshiftCluster.Endpoint.Port

  SecretArn:
    Description: ARN of the Secrets Manager secret containing credentials
    Value: !Ref RedshiftMasterSecret

Deploy with:

aws cloudformation create-stack \
    --region us-east-1 \
    --stack-name redshift-secure-cluster \
    --template-body file://template.yaml \
    --parameters ParameterKey=MasterUsername,ParameterValue=dw_admin_prod

Terraform (optional)

terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

variable "cluster_identifier" {
  description = "Unique identifier for the Redshift cluster"
  type        = string
  default     = "my-redshift-cluster"
}

variable "master_username" {
  description = "Master username for the cluster (must not be 'awsuser')"
  type        = string

  validation {
    condition     = var.master_username != "awsuser" && can(regex("^[a-z][a-z0-9_]*$", var.master_username))
    error_message = "Master username must not be 'awsuser' and must start with a lowercase letter."
  }
}

variable "master_password" {
  description = "Master password for the cluster"
  type        = string
  sensitive   = true
}

variable "node_type" {
  description = "Node type for the cluster"
  type        = string
  default     = "dc2.large"
}

variable "number_of_nodes" {
  description = "Number of nodes in the cluster"
  type        = number
  default     = 1
}

resource "aws_redshift_cluster" "main" {
  cluster_identifier = var.cluster_identifier
  database_name      = "mydb"
  master_username    = var.master_username
  master_password    = var.master_password
  node_type          = var.node_type
  cluster_type       = var.number_of_nodes > 1 ? "multi-node" : "single-node"
  number_of_nodes    = var.number_of_nodes > 1 ? var.number_of_nodes : null

  encrypted            = true
  publicly_accessible  = false
  skip_final_snapshot  = true
}

output "cluster_endpoint" {
  description = "Redshift cluster endpoint"
  value       = aws_redshift_cluster.main.endpoint
}

output "cluster_id" {
  description = "Redshift cluster identifier"
  value       = aws_redshift_cluster.main.id
}

Deploy with:

terraform init
terraform apply -var="master_username=dw_admin_prod" -var="master_password=YourSecurePassword123!"

Verification

After creating or updating your cluster, verify the fix:

1. Go to the Amazon Redshift console
2. Select your cluster
3. Check the Database configurations section
4. Confirm the Admin user name is not awsuser

CLI verification

aws redshift describe-clusters \
    --region us-east-1 \
    --cluster-identifier my-secure-cluster \
    --query 'Clusters[0].MasterUsername' \
    --output text

The output should show your custom username, not awsuser.

To check all clusters at once:

aws redshift describe-clusters \
    --region us-east-1 \
    --query 'Clusters[?MasterUsername==`awsuser`].[ClusterIdentifier]' \
    --output text

If this returns no results, all your clusters are using non-default usernames.

Additional Resources

• Amazon Redshift Getting Started Guide
• Amazon Redshift Security Best Practices
• Managing Database Security
• AWS Secrets Manager Integration

Notes

• Username cannot be changed: Once a cluster is created, you cannot modify the master username. Plan accordingly.
• Migration required for existing clusters: If you have production clusters using awsuser, plan a migration window to create new clusters and transfer data.
• Use AWS DMS for data migration: For large datasets, consider using AWS Database Migration Service to move data between clusters with minimal downtime.
• Combine with other security measures: Using a non-default username is one layer of defense. Also implement strong passwords, network isolation (VPC), encryption, and IAM authentication where possible.