Redshift publicly accessible

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: ansible-aws-redshift-publicly-accessible

Cloud Provider: AWS

Platform: Ansible

Severity: High

Category: Insecure Configurations

Learn More

Description

Redshift clusters must not be publicly accessible. Exposing cluster endpoints to the internet increases the risk of unauthorized access, data exfiltration, and brute-force attacks. For Ansible, check tasks using the redshift or community.aws.redshift modules: the publicly_accessible parameter must be set to false. This rule flags any task where publicly_accessible is true. Explicitly set publicly_accessible: false in your task to ensure the cluster is not reachable from the public internet. Relying on implicit defaults may be ambiguous across versions.

Secure configuration example:

- name: Create Redshift cluster (not publicly accessible)
  community.aws.redshift:
    cluster_identifier: my-cluster
    node_type: dc2.large
    number_of_nodes: 2
    publicly_accessible: false

Compliant Code Examples

- name: Basic cluster provisioning example01
  community.aws.redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    publicly_accessible: no
- name: Basic cluster provisioning example02
  community.aws.redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
- name: Basic cluster provisioning example03
  redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    publicly_accessible: false

Non-Compliant Code Examples

---
- name: Basic cluster provisioning example04
  community.aws.redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    publicly_accessible: yes
- name: Basic cluster provisioning example05
  community.aws.redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    publicly_accessible: True
- name: Basic cluster provisioning example06
  redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    publicly_accessible: Yes