Redshift Publicly Accessible
- Query id: bdf8dcb4-75df-4370-92c4-606e4ae6c4d3
- Query name: Redshift Publicly Accessible
- Platform: CloudFormation
- Severity: High
- Category: Insecure Configurations
- URL: Github
Description¶
AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
myCluster:
Type: "AWS::Redshift::Cluster"
Properties:
DBName: "mydb"
MasterUsername: "master"
MasterUserPassword:
Ref: "MasterUserPassword"
NodeType: "ds2.xlarge"
ClusterType: "single-node"
Tags:
- Key: foo
Value: bar
myCluster2:
Type: "AWS::Redshift::Cluster"
Properties:
PubliclyAccessible: true
DBName: "mydb"
MasterUsername: "master"
MasterUserPassword:
Ref: "MasterUserPassword"
NodeType: "ds2.xlarge"
ClusterType: "single-node"
Tags:
- Key: foo
Value: bar
Positive test num. 2 - json file
{
"Resources": {
"myCluster": {
"Type": "AWS::Redshift::Cluster",
"Properties": {
"NodeType": "ds2.xlarge",
"ClusterType": "single-node",
"Tags": [
{
"Key": "foo",
"Value": "bar"
}
],
"DBName": "mydb",
"MasterUsername": "master",
"MasterUserPassword": {
"Ref": "MasterUserPassword"
}
}
},
"myCluster2": {
"Type": "AWS::Redshift::Cluster",
"Properties": {
"Tags": [
{
"Key": "foo",
"Value": "bar"
}
],
"PubliclyAccessible": true,
"DBName": "mydb",
"MasterUsername": "master",
"MasterUserPassword": {
"Ref": "MasterUserPassword"
},
"NodeType": "ds2.xlarge",
"ClusterType": "single-node"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
myCluster:
Type: "AWS::Redshift::Cluster"
Properties:
PubliclyAccessible: false
DBName: "mydb"
MasterUsername: "master"
MasterUserPassword:
Ref: "MasterUserPassword"
NodeType: "ds2.xlarge"
ClusterType: "single-node"
Tags:
- Key: foo
Value: bar
Negative test num. 2 - json file
{
"Resources": {
"myCluster": {
"Type": "AWS::Redshift::Cluster",
"Properties": {
"MasterUserPassword": {
"Ref": "MasterUserPassword"
},
"NodeType": "ds2.xlarge",
"ClusterType": "single-node",
"Tags": [
{
"Value": "bar",
"Key": "foo"
}
],
"PubliclyAccessible": false,
"DBName": "mydb",
"MasterUsername": "master"
}
}
}
}