π‘οΈ AWS Redshift Cluster security group allows unrestricted access on the cluster portπ’
- Contextual name: π‘οΈ Cluster security group allows unrestricted access on the cluster portπ’
- ID:
/ce/ca/aws/redshift/cluster-security-group-unrestricted-port - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- AWS Security Hub: [Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins
Descriptionβ
Descriptionβ
This policy identifies AWS Redshift Clusters that are associated with VPC security groups containing inbound rules that allow unrestricted access to the Redshift cluster port (TCP 5439) from the public internet (0.0.0.0/0 or ::/0).
Rationaleβ
Amazon Redshift clusters commonly store sensitive analytical data. Allowing unrestricted inbound connectivity to the database port increases the likelihood of unauthorized access attempts, credential stuffing, brute-force attacks, and accidental exposure. Even when authentication is required, internet-exposed database ports materially increase attack surface and monitoring burden.
Security group ingress to the Redshift port should be limited to:
- Trusted corporate/public egress IPs (specific CIDRs),
- Approved network paths (VPN, Direct Connect, bastion, private connectivity),
- Or internal VPC-only sources where appropriate.
Impactβ
Restricting inbound access to TCP
5439may disrupt workloads if applications, BI tools, or user networks currently connect from untracked or dynamic IP ranges. Before enforcing restrictions, confirm the legitimate client source ranges and ensure network paths (VPN/Direct Connect/VPC routing) are in place.... see more
Remediationβ
Remediationβ
Restrict public inbound access to the Redshift cluster port (TCP 5439)β
Update the VPC security group(s) associated with the Redshift cluster to remove inbound rules that allow access from
0.0.0.0/0and/or::/0to TCP port5439. Replace them with trusted CIDR ranges, or route access through approved private connectivity (VPN/Direct Connect/bastion).From Command Lineβ
Identify the cluster security groups:
aws redshift describe-clusters \
--cluster-identifier {{cluster-id}} \
--query 'Clusters[0].VpcSecurityGroups[].VpcSecurityGroupId' \
--output textReview the inbound rules on each security group:
aws ec2 describe-security-groups \
--group-ids {{sg-id}} \
--query 'SecurityGroups[0].IpPermissions' \
--output jsonRevoke unrestricted IPv4 ingress to TCP 5439:
aws ec2 revoke-security-group-ingress \
--group-id {{sg-id}} \
--ip-permissions '[
{
"IpProtocol": "tcp",... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins | 1 | no data | |||
| πΌ Cloudaware Framework β πΌ Secure Access | 75 | no data | |||
| πΌ PCI DSS v3.2.1 β πΌ 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. | 10 | 65 | no data | ||
| πΌ PCI DSS v4.0.1 β πΌ 1.3.1 Inbound traffic to the CDE is restricted. | 65 | no data | |||
| πΌ PCI DSS v4.0.1 β πΌ 1.3.2 Outbound traffic from the CDE is restricted. | 65 | no data | |||
| πΌ PCI DSS v4.0 β πΌ 1.3.1 Inbound traffic to the CDE is restricted. | 7 | 65 | no data | ||
| πΌ PCI DSS v4.0 β πΌ 1.3.2 Outbound traffic from the CDE is restricted. | 65 | no data |