Redshift publicly accessible

Ce produit n'est pas pris en charge par le site Datadog que vous avez sélectionné. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: bdf8dcb4-75df-4370-92c4-606e4ae6c4d3

Cloud Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Insecure Configurations

Learn More

Description

Redshift clusters must not be publicly accessible because exposure to the public internet increases the risk of unauthorized data access and expands the attack surface for brute-force or other network-based attacks. In AWS CloudFormation, AWS::Redshift::Cluster resources must include the PubliclyAccessible property and set it to false. Resources missing this property or with PubliclyAccessible set to true will be flagged as a security finding.

Secure configuration example:

MyRedshiftCluster:
  Type: AWS::Redshift::Cluster
  Properties:
    PubliclyAccessible: false
    # other required properties...

Compliant Code Examples

#this code is a correct code for which the query should not find any result
Resources:
  myCluster:
    Type: "AWS::Redshift::Cluster"
    Properties:
      PubliclyAccessible: false
      DBName: "mydb"
      MasterUsername: "master"
      MasterUserPassword:
        Ref: "MasterUserPassword"
      NodeType: "ds2.xlarge"
      ClusterType: "single-node"
      Tags:
        - Key: foo
          Value: bar

{
  "Resources": {
    "myCluster": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "MasterUserPassword": {
          "Ref": "MasterUserPassword"
        },
        "NodeType": "ds2.xlarge",
        "ClusterType": "single-node",
        "Tags": [
          {
            "Value": "bar",
            "Key": "foo"
          }
        ],
        "PubliclyAccessible": false,
        "DBName": "mydb",
        "MasterUsername": "master"
      }
    }
  }
}

Non-Compliant Code Examples

{
  "Resources": {
    "myCluster": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "NodeType": "ds2.xlarge",
        "ClusterType": "single-node",
        "Tags": [
          {
            "Key": "foo",
            "Value": "bar"
          }
        ],
        "DBName": "mydb",
        "MasterUsername": "master",
        "MasterUserPassword": {
          "Ref": "MasterUserPassword"
        }
      }
    },
    "myCluster2": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "Tags": [
          {
            "Key": "foo",
            "Value": "bar"
          }
        ],
        "PubliclyAccessible": true,
        "DBName": "mydb",
        "MasterUsername": "master",
        "MasterUserPassword": {
          "Ref": "MasterUserPassword"
        },
        "NodeType": "ds2.xlarge",
        "ClusterType": "single-node"
      }
    }
  }
}

Resources:
  myCluster:
    Type: "AWS::Redshift::Cluster"
    Properties:
      DBName: "mydb"
      MasterUsername: "master"
      MasterUserPassword:
        Ref: "MasterUserPassword"
      NodeType: "ds2.xlarge"
      ClusterType: "single-node"
      Tags:
        - Key: foo
          Value: bar
  myCluster2:
    Type: "AWS::Redshift::Cluster"
    Properties:
      PubliclyAccessible: true
      DBName: "mydb"
      MasterUsername: "master"
      MasterUserPassword:
        Ref: "MasterUserPassword"
      NodeType: "ds2.xlarge"
      ClusterType: "single-node"
      Tags:
        - Key: foo
          Value: bar