π‘οΈ AWS Redshift Cluster Master Username is a default valuesπ’
- Contextual name: π‘οΈ Cluster Master Username is a default valuesπ’
- ID:
/ce/ca/aws/redshift/cluster-master-username - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- AWS Security Hub: [Redshift.8] Amazon Redshift clusters should not use the default Admin username
- Cloud Conformity: Redshift Cluster Default Master Username
Descriptionβ
Descriptionβ
This policy identifies AWS Redshift Clusters that are using the default master username.
AWS Redshift clusters should be configured with custom master usernames instead of the default
awsuser.Rationaleβ
Using a custom master username adds an additional layer of defense against generic or non-targeted attacks. While changing the default master username improves security, it does not fully prevent attackers who may obtain database usernames through social engineering or other means. For comprehensive Redshift security, it is recommended to restrict the root account to privileged users, enforce strong and complex passwords, and grant database-level permissions only to trusted users.
Impactβ
Requires recreating the database cluster with a custom master username and migrating the existing data to the new cluster.
Auditβ
This policy flags an Amazon Redshift Cluster as
INCOMPLIANTif the Master Username is set toawsuser.
Remediationβ
Remediationβ
Change the Default Master Usernameβ
To replace the default master username for an existing AWS Redshift Cluster, you must create a new cluster with a custom master username and migrate your data from the old cluster.
From Command Lineβ
Retrieve cluster configuration
Use the
describe-clusterscommand to obtain the current configuration of the cluster you plan to replace:aws redshift describe-clusters \
--region {{region}} \
--cluster-identifier {{cluster-id}}The output will include metadata such as node type, database name, and current master username, which you will need when creating the new cluster.
Example:
{
"Clusters": [
{
"PubliclyAccessible": true,
"MasterUsername": "awsuser",
"DBName": "awsclusterdb",
"ClusterStatus": "available"
}
]
}Create a new cluster
Use the configuration information from the previous step to launch a new cluster with a custom master username:
... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [Redshift.8] Amazon Redshift clusters should not use the default Admin username | 1 | no data | |||
| πΌ Cloudaware Framework β πΌ Threat Protection | 49 | no data | |||
| πΌ FedRAMP High Security Controls β πΌ CM-2 Baseline Configuration (L)(M)(H) | 3 | 1 | 47 | no data | |
| πΌ FedRAMP Low Security Controls β πΌ CM-2 Baseline Configuration (L)(M)(H) | 45 | no data | |||
| πΌ FedRAMP Moderate Security Controls β πΌ CM-2 Baseline Configuration (L)(M)(H) | 3 | 47 | no data | ||
| πΌ NIST SP 800-53 Revision 5 β πΌ CA-9(1) Internal System Connections _ Compliance Checks | 54 | no data | |||
| πΌ NIST SP 800-53 Revision 5 β πΌ CM-2 Baseline Configuration | 7 | 46 | no data |