Redshift Publicly Accessible

• Query id: 5c6b727b-1382-4629-8ba9-abd1365e5610
• Query name: Redshift Publicly Accessible
• Platform: Ansible
• Severity: High
• Category: Insecure Configurations
• CWE: 284
• URL: Github

Description

AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false)
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

---
- name: Basic cluster provisioning example04
  community.aws.redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    publicly_accessible: yes
- name: Basic cluster provisioning example05
  community.aws.redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    publicly_accessible: True
- name: Basic cluster provisioning example06
  redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    publicly_accessible: Yes

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: Basic cluster provisioning example01
  community.aws.redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    publicly_accessible: no
- name: Basic cluster provisioning example02
  community.aws.redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
- name: Basic cluster provisioning example03
  redshift:
    command: create
    node_type: ds1.xlarge
    identifier: new_cluster
    username: cluster_admin
    password: 1nsecur3
    publicly_accessible: false