---
title: Redshift clusters should use a custom master username
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Redshift clusters should use a custom
  master username
---

# Redshift clusters should use a custom master username
 
## Description{% #description %}

Confirm [Redshift clusters](https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html) are using a custom master user name, versus the default master user name.

## Rationale{% #rationale %}

Default master user names for publicly accessible clusters can be a backdoor for hacking. While setting a custom master user name alone does not fully protect against attacks, restricting the root account only to privileged users and using additional password measures can add an additional layer of protection.

## Remediation{% #remediation %}

### From the console{% #from-the-console %}

Follow the [Getting information about cluster configuration](https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster) docs to access your cluster configuration information. If the cluster has a master user name of `awsuser`, it is the default master user name. Modify the user name to a custom user name in the console.

### From the command line{% #from-the-command-line %}

1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/describe-clusters.html).

In the `describe-clusters.sh` file:

   ```bash
       aws redshift describe-clusters
   	    --cluster-identifier cluster-name
       
```

1. Run `create-cluster` with the returned cluster metadata to [launch a new cluster](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html) with the existing metadata and a new master user name.

In the `create-cluster.sh` file:

   ```bash
       aws redshift create-cluster
   	    --cluster-identifier old-cluster-identifier
   	    --master-username awsmasterusr
           --vpc-security-group-ids id-012a3b4c
           ...
       
```

1. Re-run `describe-clusters` with a [custom query filter](https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html) to retrieve the database cluster endpoint.

In the `describe-clusters.sh` file:

   ```bash
       aws redshift describe-clusters
   	    --cluster-identifier new-cluster-identifier
   	    --query 'Clusters[*].Endpoint.Address'
       
```

1. Reload the old cluster data into the new database cluster with the [Unload Copy Utility](https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility).

1. Use the returned new database cluster endpoint URL from step 3 to update your application's configuration to point to the new cluster endpoint.

1. Run `delete-cluster` to [delete the old cluster](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html).

In the `delete-cluster.sh` file:

   ```bash
       aws redshift create-cluster
   	    --cluster-identifier old-cluster-identifier
   	    ...
       
```