For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-redshift-publicly-accessible.md. A documentation index is available at /llms.txt.

Redshift publicly accessible

This product is not supported for your selected Datadog site. ().

Metadata

Id: ansible-aws-redshift-publicly-accessible

Provider: AWS

Platform: Ansible

Severity: High

Category: Insecure Configurations

Learn More

Description

Redshift clusters must not be publicly accessible. Exposing cluster endpoints to the internet increases the risk of unauthorized access, data exfiltration, and brute-force attacks. For Ansible, check tasks using the redshift or community.aws.redshift modules: the publicly_accessible parameter must be set to false. This rule flags any task where publicly_accessible is true. Explicitly set publicly_accessible: false in your task to ensure the cluster is not reachable from the public internet. Relying on implicit defaults may be ambiguous across versions.

Secure configuration example:

- name: Create Redshift cluster (not publicly accessible)
  community.aws.redshift:
    cluster_identifier: my-cluster
    node_type: dc2.large
    number_of_nodes: 2
    publicly_accessible: false

Compliant Code Examples

- name: Basic cluster provisioning example01
  community.aws.redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    publicly_accessible: no
- name: Basic cluster provisioning example02
  community.aws.redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
- name: Basic cluster provisioning example03
  redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    publicly_accessible: false

Non-Compliant Code Examples

---
- name: Basic cluster provisioning example04
  community.aws.redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    publicly_accessible: yes
- name: Basic cluster provisioning example05
  community.aws.redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    publicly_accessible: True
- name: Basic cluster provisioning example06
  redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    publicly_accessible: Yes