AWS Redshift cluster modified to allow public access
Description
AlphaSOC detected configuration changes that expose an Amazon Redshift cluster to public access. Amazon Redshift is a cloud-based data warehouse service used to store and analyze large datasets. This modification allows direct connections from the internet to the data warehouse, bypassing network security controls.
Impact
Public exposure of Redshift clusters creates a risk of unauthorized access to sensitive data, potential data breaches and compliance violations. Threat actors can attempt to exploit vulnerabilities, conduct brute force attacks, or access data through misconfigured permissions.
Severity
| Severity | Condition |
|---|---|
Medium | AWS Redshift cluster made public or exposed via open security group |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user who made the configuration change. Verify if public access is required for business operations. If unauthorized access is confirmed, disable public accessibility immediately, rotate credentials and encryption keys, review access logs for unauthorized connection attempts, and audit data access during the exposure period.