Skip to main content

AWS Redshift cluster modified to allow public access

ID:aws_redshift_cluster_public
Data type:AWS CloudTrail
Severity:
Medium
MITRE ATT&CK:TA0001:T1190

Description

AlphaSOC detected configuration changes that expose an Amazon Redshift cluster to public access. Amazon Redshift is a cloud-based data warehouse service used to store and analyze large datasets. This modification allows direct connections from the internet to the data warehouse, bypassing network security controls.

Impact

Public exposure of Redshift clusters creates a risk of unauthorized access to sensitive data, potential data breaches and compliance violations. Threat actors can attempt to exploit vulnerabilities, conduct brute force attacks, or access data through misconfigured permissions.

Severity

SeverityCondition
Medium
AWS Redshift cluster made public or exposed via open security group

Investigation and Remediation

Review AWS CloudTrail logs to identify the user who made the configuration change. Verify if public access is required for business operations. If unauthorized access is confirmed, disable public accessibility immediately, rotate credentials and encryption keys, review access logs for unauthorized connection attempts, and audit data access during the exposure period.

Further Reading