🛡️ AWS Redshift Cluster is publicly accessible🟢

Contextual name: 🛡️ Cluster is publicly accessible🟢
ID: /ce/ca/aws/redshift/cluster-publicly-accessible
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS Redshift Cluster
- 🔌 AWS Redshift Cluster - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [Redshift.1] Amazon Redshift clusters should prohibit public access

Description

Description

This policy identifies AWS Redshift Clusters that are configured with the Publicly Accessible setting enabled. When this flag is set to true, the cluster is internet-facing and assigned a publicly resolvable DNS name that maps to a public IP address.

Rationale

Publicly accessible databases and data warehouses significantly increase the attack surface of your cloud environment. Exposing a Redshift cluster to the Internet allows unauthorized actors to attempt exploitation of vulnerabilities or perform brute-force attacks against the cluster endpoint. Configuring clusters as private supports a defense-in-depth strategy by ensuring that access to the data warehouse is restricted to trusted networks within your VPC.

Audit

This policy flags an AWS Redshift Cluster as INCOMPLIANT if Publicly Accessible is set to Yes.

Clusters that are not in the available state are marked as INAPPLICABLE.

Remediation

Open File

Remediation

Disable Public Accessibility

To reduce the attack surface and prevent Internet exposure, configure Amazon Redshift clusters to be private by disabling public accessibility. This ensures the cluster endpoint is reachable only from within trusted networks in your VPC.

From Command Line

Use the following AWS CLI command to disable public access for the specified Redshift cluster:
aws redshift modify-cluster \
    --cluster-identifier {{cluster-id}} \
    --no-publicly-accessible
Note: This change may require a cluster restart to take effect, depending on the current configuration.

After applying the change, verify that applications and users can still connect to the cluster through approved private network paths.

Additional Considerations

Private Connectivity: Use Interface VPC Endpoints (AWS PrivateLink) to enable secure, private connectivity to Amazon Redshift without routing traffic over the public Internet.

Network Restrictions: Apply the principle of least privilege by configuring security groups to allow inbound traffic only on the Redshift port (default: 5439) and only from approved internal IP ranges or VPC resources.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.1] Amazon Redshift clusters should prohibit public access			1	no data
💼 Cloudaware Framework → 💼 Network Exposure			137	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	90	no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	39	112	no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	68	no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	12	85	no data
💼 FedRAMP High Security Controls → 💼 AC-21 Information Sharing (M)(H)			19	no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	88	no data
💼 FedRAMP High Security Controls → 💼 SC-7(3) Access Points (M)(H)			19	no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49	no data
💼 FedRAMP High Security Controls → 💼 SC-7(20) Dynamic Isolation and Segregation (H)			20	no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			37	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			90	no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			49	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			90	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		94	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			68	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		85	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-21 Information Sharing (M)(H)			19	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		72	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(3) Access Points (M)(H)			19	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			185	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			182	no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			89	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			144	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			196	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			167	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			197	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			129	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	6	66	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			36	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	76	131	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		42	68	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	78	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-21 Information Sharing	2		19	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	8	98	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(3) Boundary Protection _ Access Points			19	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			49	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			35	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			37	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			37	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation			20	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			37	no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	67	no data
💼 PCI DSS v3.2.1 → 💼 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.		6	30	no data
💼 PCI DSS v3.2.1 → 💼 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.			30	no data
💼 PCI DSS v3.2.1 → 💼 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.			15	no data
💼 PCI DSS v3.2.1 → 💼 1.3.5 Permit only “established” connections into the network.			30	no data
💼 PCI DSS v3.2.1 → 💼 1.3.6 Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.			15	no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			67	no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			67	no data
💼 PCI DSS v4.0.1 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.			30	no data
💼 PCI DSS v4.0.1 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			15	no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		9	67	no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			67	no data
💼 PCI DSS v4.0 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.		9	30	no data
💼 PCI DSS v4.0 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			15	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Disable Public Accessibility​

From Command Line​

Additional Considerations​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Audit

Remediation

Remediation

Disable Public Accessibility

From Command Line

Additional Considerations

policy.yaml

Linked Framework Sections