Redshift using default port

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Redshift using default port

Metadata

Id: e01de151-a7bd-4db4-b49b-3c4775a5e881

Cloud Provider: AWS

Platform: Ansible

Severity: Low

Category: Networking and Firewall

Learn More

Provider Reference

Description

Using the default Amazon Redshift port (5439) increases exposure because well-known ports are easy to discover and target with automated scanning and brute-force attempts.

In Ansible playbooks that use the redshift or community.aws.redshift modules, the port property must not be set to 5439. Tasks with port: 5439 are flagged. Choose a non-default port and restrict access using VPC private subnets and security group rules to limit which IPs or subnets can reach the cluster.

Secure example with a non-default port:

- name: Create Redshift cluster with non-default port
  community.aws.redshift:
    cluster_identifier: my-redshift-cluster
    node_type: dc2.large
    master_username: masteruser
    master_user_password: secretpassword
    db_name: mydb
    port: 15432

Compliant Code Examples

- name: Redshift2
  community.aws.redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    port: 1150

Non-Compliant Code Examples

- name: Redshift
  community.aws.redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    port: 5439