Ensure that your AWS Redshift database clusters are not using their default endpoint port (i.e. 5439) in order to promote port obfuscation as an additional layer of defense against non-targeted attacks.
Changing the default port number for Redshift database clusters represents a basic security measure and does not completely secure the clusters from port scanning and network attacks. To implement advanced Redshift database security, you should look into security measures such as restricting public access, controlling clusters access through security groups and Network Access Control Lists (NACLs) and encrypting the client connections to the database clusters using SSL.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Running your Redshift database clusters on the default port represent a potential security concern. Replacing the default port number (5439) with a custom one will add an extra layer of security, protecting your publicly accessible Amazon Redshift clusters from brute-force and dictionary attacks.
To determine if your existing Redshift database clusters are using their default port (i.e. port on which the Redshift databases accept connections), perform the following:
Remediation / Resolution
To change the default port number for your existing Amazon Redshift database clusters, perform the following steps:
- AWS Documentation
- Managing Database Security
- Amazon Redshift Security Overview
- Amazon Redshift Clusters
- Managing Clusters Using the Console
- Manage Clusters Using the Amazon Redshift CLI and API
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Redshift Cluster Default Port
Risk level: Low