Restrict Redshift Cluster Port Access
Ensures that security groups associated with Amazon Redshift clusters restrict ingress on the cluster port to safe sources.
| Rule | Redshift security groups should allow ingress on the cluster port only from restricted origins |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ High |
Rule Description:
To enhance security and follow AWS Foundational Security Best Practices for Amazon Redshift clusters, ingress on the cluster port should only be allowed from restricted origins within the security groups.
Troubleshooting Steps:
If the ingress is not properly restricted to specific origins, there is a risk of exposing the Redshift cluster to unauthorized access.
Remediation Steps:
To remediate this issue and ensure that the security groups allow ingress on the cluster port only from restricted origins, follow these steps:
- 1.Log in to the AWS Management Console.
- 2.Navigate to the Amazon Redshift console.
- 3.Identify the security group associated with the Redshift cluster that needs to be updated.
- 4.Update the inbound rules of the security group to restrict access to the cluster port from specific IP ranges or sources.
- 5.Review the current security group rules to ensure that only the necessary ports are open.
CLI Command:
If you prefer using the AWS Command Line Interface (CLI) to update the security group settings, you can use the following command to modify the inbound rules:
aws ec2 authorize-security-group-ingress --group-id sg-12345678 --protocol tcp --port 5439 --cidr x.x.x.x/x
Replace
sg-12345678x.x.x.x/xBy following these steps and restricting the ingress on the cluster port to specific origins, you can improve the security posture of your Amazon Redshift cluster in accordance with AWS Foundational Security Best Practices.