HIGH
Source
Trivy
ID
AVD-AWS-0127

Redshift cluster should be deployed into a specific VPC

Redshift clusters that are created without subnet details will be created in EC2 classic mode, meaning that they will be outside of a known VPC and running in tennant.

In order to benefit from the additional security features achieved with using an owned VPC, the subnet should be set.

Impact

Redshift cluster does not benefit from VPC security if it is deployed in EC2 classic mode

Follow the appropriate remediation steps below to resolve the issue.

Deploy Redshift cluster into a non default VPC

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
AWSTemplateFormatVersion: 2010-09-09
Description: Bad example of redshift cluster
Resources:
  Queue:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterSubnetGroupName: "my-subnet-group"
  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for Redshift. Step
  3. Scroll down the left navigation panel and choose “Clusters”. Step
  4. Select the “Cluster” that needs to be verified and click on its identifier(name) from the “Cluster” column.Step
  5. Scroll down the “Cluster” configuration page and check the “Publicly Accessible” option under the “Cluster Database Properties”. If current status is set to “Yes” then the selected cluster is launched into the public cloud.Step
  6. Repeat steps number 2 - 5 to verify other clusters.
  7. Select the “Cluster” on which “Public Accessibility” needs to be disable.Click on its identifier(name)from the “Cluster” column to go into “Cluster” configuration page.Step
  8. Click on the “Cluster” dropdown button at the top menu and click on the “Modify Cluster” option.Step
  9. On the “Modify Cluster” page select the “No” option next to “Publicly accessible” under “Cluster Settings”. Click on the “Modify” button to make the necessary changes.Step
  10. Repeat steps number 7 - 9 to disable “Public Accessibility” for other clusters.

Deploy Redshift cluster into a non default VPC

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
resource "aws_redshift_cluster" "good_example" {
  cluster_identifier = "tf-redshift-cluster"
  database_name      = "mydb"
  master_username    = "foo"
  master_password    = "Mustbe8characters"
  node_type          = "dc1.large"
  cluster_type       = "single-node"
  
  cluster_subnet_group_name = "redshift_subnet"
}