Redshift Cluster Without VPC

• Query id: 40d5e9cd-5cfd-41f9-be60-b6cf4e907917
• Query name: Redshift Cluster Without VPC
• Platform: CloudFormation
• Severity: Low
• Category: Insecure Configurations
• CWE: 284
• Risk score: 1.0
• URL: Github

Description

Redshift Cluster should be configured in VPC (Virtual Private Cloud)
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  RedshiftCluster:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterIdentifier: tf-redshift-cluster
      DBName: mydb

Positive test num. 2 - json file

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "RedshiftCluster": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "ClusterIdentifier": "tf-redshift-cluster",
        "DBName": "mydb",
        "ClusterSubnetGroupName": { "Ref": "RedshiftSubnetGroup" },
        "VpcSecurityGroupIds": [
          { "Ref": "RedshiftSecurityGroup" }
        ]
      }
    }
  }
}

Positive test num. 3 - json file

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "RedshiftSubnetGroup": {
      "Type": "AWS::Redshift::ClusterSubnetGroup",
      "Properties": {
        "Description": "Subnet group for Redshift",
        "SubnetIds": [
          { "Ref": "Subnet1" },
          { "Ref": "Subnet2" }
        ],
        "Tags": [
          {
            "Key": "Name",
            "Value": "RedshiftSubnetGroup"
          }
        ]
      }
    },
    "RedshiftCluster": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "ClusterIdentifier": "tf-redshift-cluster",
        "DBName": "mydb",
        "ClusterSubnetGroupName": { "Ref": "RedshiftSubnetGroup" },
        "VpcSecurityGroupIds": [
          { "Ref": "RedshiftSecurityGroup" }
        ]
      }
    }
  }
}

Positive test num. 4 - json file

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "RedshiftSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Redshift access",
        "VpcId": { "Ref": "MyVPC" },
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 5439,
            "ToPort": 5439,
            "CidrIp": "0.0.0.0/0"
          }
        ]
      }
    },
    "RedshiftCluster": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "ClusterIdentifier": "tf-redshift-cluster",
        "DBName": "mydb",
        "ClusterSubnetGroupName": { "Ref": "RedshiftSubnetGroup" },
        "VpcSecurityGroupIds": [
          { "Ref": "RedshiftSecurityGroup" }
        ]
      }
    }
  }
}

Positive test num. 5 - yaml file

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  RedshiftCluster:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterIdentifier: tf-redshift-cluster
      DBName: mydb
      ClusterSubnetGroupName: !Ref RedshiftSubnetGroup

Positive test num. 6 - yaml file

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  RedshiftCluster:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterIdentifier: tf-redshift-cluster
      DBName: mydb
      VpcSecurityGroupIds:
        - !Ref RedshiftSecurityGroup

Positive test num. 7 - yaml file

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  RedshiftCluster:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterIdentifier: tf-redshift-cluster
      DBName: mydb
      ClusterSubnetGroupName: !Ref RedshiftSubnetGroup
      VpcSecurityGroupIds:
        - !Ref RedshiftSecurityGroup

Positive test num. 8 - yaml file

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  RedshiftSubnetGroup:
    Type: AWS::Redshift::ClusterSubnetGroup
    Properties:
      Description: Subnet group for Redshift
      SubnetIds:
        - !Ref Subnet1
        - !Ref Subnet2
      Tags:
        - Key: Name
          Value: RedshiftSubnetGroup
  RedshiftCluster:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterIdentifier: tf-redshift-cluster
      DBName: mydb
      ClusterSubnetGroupName: !Ref RedshiftSubnetGroup
      VpcSecurityGroupIds:
        - !Ref RedshiftSecurityGroup

Positive test num. 9 - yaml file

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  RedshiftSecurityGroup:
      Type: AWS::EC2::SecurityGroup
      Properties:
        GroupDescription: Redshift access
        VpcId: !Ref MyVPC
        SecurityGroupIngress:
          - IpProtocol: tcp
            FromPort: 5439
            ToPort: 5439
            CidrIp: 0.0.0.0/0 
  RedshiftCluster:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterIdentifier: tf-redshift-cluster
      DBName: mydb
      ClusterSubnetGroupName: !Ref RedshiftSubnetGroup
      VpcSecurityGroupIds:
        - !Ref RedshiftSecurityGroup

Positive test num. 10 - json file

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "RedshiftCluster": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "ClusterIdentifier": "tf-redshift-cluster",
        "DBName": "mydb"
      }
    }
  }
}

Positive test num. 11 - json file

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "RedshiftCluster": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "ClusterIdentifier": "tf-redshift-cluster",
        "DBName": "mydb",
        "ClusterSubnetGroupName": { "Ref": "RedshiftSubnetGroup" }
      }
    }
  }
}

Positive test num. 12 - json file

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "RedshiftCluster": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "ClusterIdentifier": "tf-redshift-cluster",
        "DBName": "mydb",
        "VpcSecurityGroupIds": [
          { "Ref": "RedshiftSecurityGroup" }
        ]
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

Resources:
  RedshiftSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Redshift access
      VpcId: !Ref MyVPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 5439
          ToPort: 5439
          CidrIp: 0.0.0.0/0  

  RedshiftSubnetGroup:
    Type: AWS::Redshift::ClusterSubnetGroup
    Properties:
      Description: Subnet group for Redshift
      SubnetIds:
        - !Ref Subnet1
        - !Ref Subnet2
      Tags:
        - Key: Name
          Value: RedshiftSubnetGroup

  RedshiftCluster:
    Type: AWS::Redshift::Cluster
    Properties:
      ClusterIdentifier: tf-redshift-cluster
      DBName: mydb
      ClusterSubnetGroupName: !Ref RedshiftSubnetGroup
      VpcSecurityGroupIds:
        - !Ref RedshiftSecurityGroup

Negative test num. 2 - json file

{
  "Resources": {
    "RedshiftSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Redshift access",
        "VpcId": { "Ref": "MyVPC" },
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 5439,
            "ToPort": 5439,
            "CidrIp": "0.0.0.0/0"
          }
        ]
      }
    },
    "RedshiftSubnetGroup": {
      "Type": "AWS::Redshift::ClusterSubnetGroup",
      "Properties": {
        "Description": "Subnet group for Redshift",
        "SubnetIds": [
          { "Ref": "Subnet1" },
          { "Ref": "Subnet2" }
        ],
        "Tags": [
          {
            "Key": "Name",
            "Value": "RedshiftSubnetGroup"
          }
        ]
      }
    },
    "RedshiftCluster": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "ClusterIdentifier": "tf-redshift-cluster",
        "DBName": "mydb",
        "ClusterSubnetGroupName": { "Ref": "RedshiftSubnetGroup" },
        "VpcSecurityGroupIds": [
          { "Ref": "RedshiftSecurityGroup" }
        ]
      }
    }
  }
}