Redshift Cluster Public Access
Overview
This check verifies that Amazon Redshift clusters are not publicly accessible from the internet. A Redshift cluster is considered publicly exposed when it has a public endpoint, is placed in a public subnet, and has security groups that allow inbound traffic from anywhere (0.0.0.0/0 or ::/0).
Risk
An internet-exposed Redshift cluster creates serious security vulnerabilities:
- Data theft: Attackers can attempt to brute-force credentials and extract sensitive data
- Data tampering: Unauthorized users may modify or delete your data
- Service disruption: Connection exhaustion attacks can make your cluster unavailable
- Compliance violations: Many regulations (PCI-DSS, HIPAA, SOC 2) prohibit public database access
Remediation Steps
Prerequisites
- AWS Console access with permissions to modify Redshift clusters
- The cluster identifier of the affected Redshift cluster
Required IAM permissions
You need the following IAM permissions:
redshift:ModifyClusterredshift:DescribeClusters
AWS Console Method
- Open the Amazon Redshift console
- In the left navigation, click Clusters
- Select the cluster you want to modify
- Click the Actions dropdown and choose Modify
- Scroll to the Network and security section
- Set Publicly accessible to No
- Click Modify cluster
The change takes effect within a few minutes. Existing connections from public IPs will be terminated.
AWS CLI (optional)
Use the modify-cluster command to disable public access:
aws redshift modify-cluster \
--cluster-identifier <your-cluster-identifier> \
--no-publicly-accessible \
--region us-east-1
Replace <your-cluster-identifier> with your actual cluster name.
To verify the change:
aws redshift describe-clusters \
--cluster-identifier <your-cluster-identifier> \
--query 'Clusters[0].PubliclyAccessible' \
--region us-east-1
This should return false.
CloudFormation (optional)
When creating or updating a Redshift cluster via CloudFormation, set PubliclyAccessible to false:
AWSTemplateFormatVersion: '2010-09-09'
Description: Redshift cluster with public access disabled
Parameters:
ClusterIdentifier:
Type: String
Description: Unique identifier for the Redshift cluster
MasterUsername:
Type: String
Description: Master username for the cluster
NoEcho: true
MasterUserPassword:
Type: String
Description: Master password for the cluster
NoEcho: true
NodeType:
Type: String
Default: ra3.large
AllowedValues:
- dc2.large
- dc2.8xlarge
- ra3.large
- ra3.xlplus
- ra3.4xlarge
- ra3.16xlarge
Description: Node type for the cluster
VpcSecurityGroupId:
Type: AWS::EC2::SecurityGroup::Id
Description: VPC security group ID for the cluster
SubnetGroupName:
Type: String
Description: Name of the Redshift subnet group (must use private subnets)
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterIdentifier: !Ref ClusterIdentifier
MasterUsername: !Ref MasterUsername
MasterUserPassword: !Ref MasterUserPassword
NodeType: !Ref NodeType
ClusterType: single-node
DBName: mydb
PubliclyAccessible: false
VpcSecurityGroupIds:
- !Ref VpcSecurityGroupId
ClusterSubnetGroupName: !Ref SubnetGroupName
Encrypted: true
Outputs:
ClusterEndpoint:
Description: Redshift cluster endpoint
Value: !GetAtt RedshiftCluster.Endpoint.Address
ClusterPort:
Description: Redshift cluster port
Value: !GetAtt RedshiftCluster.Endpoint.Port
Deploy the stack:
aws cloudformation deploy \
--template-file template.yaml \
--stack-name my-redshift-cluster \
--parameter-overrides \
ClusterIdentifier=my-cluster \
MasterUsername=admin \
MasterUserPassword=YourSecurePassword123 \
VpcSecurityGroupId=sg-xxxxxxxxx \
SubnetGroupName=my-private-subnet-group \
--region us-east-1
Terraform (optional)
Set publicly_accessible = false in your aws_redshift_cluster resource:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "cluster_identifier" {
description = "Unique identifier for the Redshift cluster"
type = string
}
variable "master_username" {
description = "Master username for the cluster"
type = string
sensitive = true
}
variable "master_password" {
description = "Master password for the cluster"
type = string
sensitive = true
}
variable "node_type" {
description = "Node type for the cluster"
type = string
default = "ra3.large"
}
variable "vpc_security_group_ids" {
description = "List of VPC security group IDs"
type = list(string)
}
variable "cluster_subnet_group_name" {
description = "Name of the Redshift subnet group"
type = string
}
resource "aws_redshift_cluster" "main" {
cluster_identifier = var.cluster_identifier
database_name = "mydb"
master_username = var.master_username
master_password = var.master_password
node_type = var.node_type
cluster_type = "single-node"
# CRITICAL: Disable public access
publicly_accessible = false
vpc_security_group_ids = var.vpc_security_group_ids
cluster_subnet_group_name = var.cluster_subnet_group_name
encrypted = true
skip_final_snapshot = true
}
output "cluster_endpoint" {
description = "Redshift cluster endpoint"
value = aws_redshift_cluster.main.endpoint
}
Apply the configuration:
terraform init
terraform plan
terraform apply
Verification
After making changes, verify that public access is disabled:
- In the Redshift console, select your cluster
- On the Properties tab, look for Publicly accessible
- Confirm it shows No
CLI verification
aws redshift describe-clusters \
--cluster-identifier <your-cluster-identifier> \
--query 'Clusters[0].PubliclyAccessible' \
--region us-east-1
The output should be false.
Additional Resources
- Managing Clusters in a VPC
- Redshift VPC Public and Private Configuration
- Amazon Redshift Security Best Practices
Notes
- Connectivity impact: Disabling public access will immediately terminate any connections from public IP addresses. Ensure your applications connect through private networking (VPC, VPN, or AWS PrivateLink) before making this change.
- Private subnets: For defense in depth, place your Redshift cluster in private subnets that have no route to an internet gateway.
- Security groups: Even with public access disabled, restrict your security groups to allow traffic only from known, trusted CIDR ranges.
- VPC endpoints: Consider using Redshift VPC endpoints for secure, private connectivity from other AWS services.