π§ AWS Redshift Cluster security group allows unrestricted access on the cluster port - prod.logic.yamlπ’
- Contextual name: π§ prod.logic.yamlπ’
- ID:
/ce/ca/aws/redshift/cluster-security-group-unrestricted-port/prod.logic.yaml - Tags:
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Usesβ
- π AWS Redshift Cluster
- π AWS EC2 Security Group Rule - object.extracts.yaml
- π AWS Redshift Cluster - object.extracts.yaml
- π§ͺ test-data.json
Test Results π’β
Generated at: 2026-02-05T22:32:03.415622935Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 199 | βοΈ extract('CA10__status__c') != 'available' | βοΈ null |
| π’ | test2 | βοΈ 299 | βοΈ extract('CA10__endpointPort2__c') != number(5439.0) | βοΈ null |
| π’ | test3 | βοΈ 400 | βοΈ otherwise | βοΈ null |
| π’ | test4 | βοΈ 399 | βοΈ CA10__AWS_Redshift_Cluster_VPC_SG_Links__r.has(INCOMPLIANT) | βοΈ null |
| π’ | test5 | βοΈ 399 | βοΈ CA10__AWS_Redshift_Cluster_VPC_SG_Links__r.has(INCOMPLIANT) | βοΈ null |
Generation Bundleβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/redshift/cluster-security-group-unrestricted-port/policy.yaml | A0BEA68413D24845F458234BC96C7900 |
| Open | /ce/ca/aws/redshift/cluster-security-group-unrestricted-port/prod.logic.yaml | 4441A17447477953CCDCCBD5CC476792 |
| Open | /ce/ca/aws/redshift/cluster-security-group-unrestricted-port/test-data.json | A5E8FD505BE6E4EC940416716D972AD7 |
| Open | /types/CA10__CaAwsSecurityGroupRule2__c/object.extracts.yaml | 58DC1872D7462985D50972C65C61C237 |
| Open | /types/CA10__CaAwsRedshiftCluster__c/object.extracts.yaml | 978033E93A3BC4EEE31B6916039330FF |
Available Commandsβ
repo-manager policies generate FULL /ce/ca/aws/redshift/cluster-security-group-unrestricted-port/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/aws/redshift/cluster-security-group-unrestricted-port/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/aws/redshift/cluster-security-group-unrestricted-port/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/aws/redshift/cluster-security-group-unrestricted-port/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/aws/redshift/cluster-security-group-unrestricted-port/prod.logic.yaml
Contentβ
---
inputType: "CA10__CaAwsRedshiftCluster__c"
importExtracts:
- file: "/types/CA10__CaAwsRedshiftCluster__c/object.extracts.yaml"
- file: "/types/CA10__CaAwsSecurityGroupRule2__c/object.extracts.yaml"
testData:
- file: "test-data.json"
conditions:
- status: "INAPPLICABLE"
currentStateMessage: "The cluster is not available."
check:
NOT_EQUAL:
left:
EXTRACT: "CA10__status__c"
right:
TEXT: "available"
- status: "INAPPLICABLE"
currentStateMessage: "This policy only applies to the default port (TCP 5439)."
check:
NOT_EQUAL:
left:
EXTRACT: "CA10__endpointPort2__c"
right:
NUMBER: 5439
- status: "INCOMPLIANT"
currentStateMessage: "The cluster is associated with a security group that\
\ allows unrestricted inbound access to the Redshift port (TCP 5439)."
remediationMessage: "Restrict inbound access to TCP 5439 by removing 0.0.0.0/0\
\ and ::/0 rules or scoping them to trusted CIDRs only."
check:
RELATED_LIST_HAS:
status: "INCOMPLIANT"
relationshipName: "CA10__AWS_Redshift_Cluster_VPC_SG_Links__r"
otherwise:
status: "COMPLIANT"
currentStateMessage: "The cluster does not allow unrestricted inbound access\
\ to the Redshift port (TCP 5439)."
relatedLists:
- relationshipName: "CA10__AWS_Redshift_Cluster_VPC_SG_Links__r"
conditions:
- status: "INCOMPLIANT"
currentStateMessage: "This security group allows unrestricted inbound\
\ access to the Redshift port (TCP 5439)."
remediationMessage: "Remove or scope down the incompliant inbound rule to trusted CIDRs."
check:
RELATED_LIST_HAS:
status: "INCOMPLIANT"
relationshipName: "CA10__securityGroup__r.CA10__AWS_EC2_Security_Group_Rules1__r"
otherwise:
status: "COMPLIANT"
currentStateMessage: "This security group does not allow unrestricted inbound\
\ access to the Redshift port."
relatedLists:
- relationshipName: "CA10__securityGroup__r.CA10__AWS_EC2_Security_Group_Rules1__r"
conditions:
- status: "INAPPLICABLE"
currentStateMessage: "This is an outbound security group rule."
check:
NOT_EQUAL:
left:
EXTRACT: "CA10__direction__c"
right:
TEXT: "Inbound"
- status: "INAPPLICABLE"
currentStateMessage: "This is not an IP source based security group rule."
check:
NOT_EQUAL:
left:
EXTRACT: "CA10__source__c"
right:
TEXT: "IP"
- status: "INAPPLICABLE"
currentStateMessage: "This security group rule does not allow unrestricted access."
check:
AND:
args:
- NOT_EQUAL:
left:
EXTRACT: "CA10__sourceIpRange__c"
right:
TEXT: "0.0.0.0/0"
- NOT_EQUAL:
left:
EXTRACT: "CA10__sourceIpRange__c"
right:
TEXT: "::/0"
- status: "INAPPLICABLE"
currentStateMessage: "This security group rule protocol is not All or TCP."
check:
NOT:
arg:
OR:
args:
- IS_EQUAL:
left:
EXTRACT: "CA10__protocol__c"
right:
TEXT: "All"
- IS_EQUAL:
left:
EXTRACT: "CA10__protocol__c"
right:
TEXT: "tcp"
- status: "INCOMPLIANT"
currentStateMessage: "This security group rule allows unrestricted access\
\ (0.0.0.0/0 or ::/0) to Redshift on TCP 5439."
remediationMessage: "Remove the rule or restrict the source CIDR(s)\
\ to trusted networks only."
check:
AND:
args:
- LESS_THAN_EQUAL:
left:
EXTRACT: "CA10__fromPort__c"
right:
NUMBER: 5439.0
- GREATER_THAN_EQUAL:
left:
EXTRACT: "CA10__toPort__c"
right:
NUMBER: 5439.0
otherwise:
status: "COMPLIANT"
currentStateMessage: "This security group rule does not allow unrestricted\
\ access to TCP 5439."