Redshift publicly accessible
Ce produit n'est pas pris en charge par le
site Datadog que vous avez sélectionné. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: 5c6b727b-1382-4629-8ba9-abd1365e5610
Cloud Provider: AWS
Platform: Ansible
Severity: High
Category: Insecure Configurations
Learn More
Description
Redshift clusters must not be publicly accessible. Exposing cluster endpoints to the internet increases the risk of unauthorized access, data exfiltration, and brute-force attacks. For Ansible, check tasks using the redshift or community.aws.redshift modules: the publicly_accessible parameter must be set to false. This rule flags any task where publicly_accessible is true. Explicitly set publicly_accessible: false in your task to ensure the cluster is not reachable from the public internet. Relying on implicit defaults may be ambiguous across versions.
Secure configuration example:
- name: Create Redshift cluster (not publicly accessible)
community.aws.redshift:
cluster_identifier: my-cluster
node_type: dc2.large
number_of_nodes: 2
publicly_accessible: false
Compliant Code Examples
- name: Basic cluster provisioning example01
community.aws.redshift:
command: create
node_type: ds1.xlarge
identifier: new_cluster
username: cluster_admin
password: 1nsecur3
publicly_accessible: no
- name: Basic cluster provisioning example02
community.aws.redshift:
command: create
node_type: ds1.xlarge
identifier: new_cluster
username: cluster_admin
password: 1nsecur3
- name: Basic cluster provisioning example03
redshift:
command: create
node_type: ds1.xlarge
identifier: new_cluster
username: cluster_admin
password: 1nsecur3
publicly_accessible: false
Non-Compliant Code Examples
---
- name: Basic cluster provisioning example04
community.aws.redshift:
command: create
node_type: ds1.xlarge
identifier: new_cluster
username: cluster_admin
password: 1nsecur3
publicly_accessible: yes
- name: Basic cluster provisioning example05
community.aws.redshift:
command: create
node_type: ds1.xlarge
identifier: new_cluster
username: cluster_admin
password: 1nsecur3
publicly_accessible: True
- name: Basic cluster provisioning example06
redshift:
command: create
node_type: ds1.xlarge
identifier: new_cluster
username: cluster_admin
password: 1nsecur3
publicly_accessible: Yes
