For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-redshift-using-default-port.md. A documentation index is available at /llms.txt.

Redshift using default port

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-redshift-using-default-port

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Networking and Firewall

Learn More

Description

Redshift clusters must not use the default TCP port 5439 because predictable ports make it easier for attackers and automated scanners to discover and target database endpoints, increasing the risk of unauthorized access attempts. In AWS CloudFormation, the AWS::Redshift::Cluster resource must include the Port property and set it to a non-default value (not 5439). Resources missing Port or with Port set to 5439 will be flagged. Choose a port within Redshift’s valid range (102465535) and update security groups and client configurations to allow only trusted sources. This is a defense-in-depth control and does not replace proper network access restrictions and authentication controls.

Secure configuration example:

MyRedshiftCluster:
  Type: AWS::Redshift::Cluster
  Properties:
    Port: 15432

Compliant Code Examples

Resources:
  myCluster:
    Type: "AWS::Redshift::Cluster"
    Properties:
      PubliclyAccessible: false
      DBName: "mydb"
      MasterUsername: "master"
      MasterUserPassword:
        Ref: "MasterUserPassword"
      NodeType: "ds2.xlarge"
      ClusterType: "single-node"
      Tags:
        - Key: foo
          Value: bar
      Port: 1150

{
    "Resources": {
      "myCluster": {
        "Type": "AWS::Redshift::Cluster",
        "Properties": {
          "MasterUserPassword": {
            "Ref": "MasterUserPassword"
          },
          "NodeType": "ds2.xlarge",
          "ClusterType": "single-node",
          "Tags": [
            {
              "Value": "bar",
              "Key": "foo"
            }
          ],
          "PubliclyAccessible": false,
          "DBName": "mydb",
          "MasterUsername": "master",
          "Port": "1150"
        }
      }
    }
  }

Non-Compliant Code Examples

Resources:
  myCluster:
    Type: "AWS::Redshift::Cluster"
    Properties:
      PubliclyAccessible: false
      DBName: "mydb"
      MasterUsername: "master"
      MasterUserPassword:
        Ref: "MasterUserPassword"
      NodeType: "ds2.xlarge"
      ClusterType: "single-node"
      Tags:
        - Key: foo
          Value: bar
  myCluster2:
    Type: "AWS::Redshift::Cluster"
    Properties:
      PubliclyAccessible: false
      DBName: "mydb"
      MasterUsername: "master"
      MasterUserPassword:
        Ref: "MasterUserPassword"
      NodeType: "ds2.xlarge"
      ClusterType: "single-node"
      Tags:
        - Key: foo
          Value: bar
      Port: 5439

{
  "Resources": {
    "myCluster": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "NodeType": "ds2.xlarge",
        "ClusterType": "single-node",
        "Tags": [
          {
            "Key": "foo",
            "Value": "bar"
          }
        ],
        "PubliclyAccessible": true,
        "DBName": "mydb",
        "MasterUsername": "master",
        "MasterUserPassword": {
          "Ref": "MasterUserPassword"
        }
      }
    },
    "myCluster2": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "Tags": [
          {
            "Key": "foo",
            "Value": "bar"
          }
        ],
        "PubliclyAccessible": true,
        "DBName": "mydb",
        "MasterUsername": "master",
        "MasterUserPassword": {
          "Ref": "MasterUserPassword"
        },
        "NodeType": "ds2.xlarge",
        "ClusterType": "single-node",
        "Port": 5439
      }
    }
  }
}