- Knowledge Base
- Amazon Web Services
- Amazon Redshift
- Redshift Cluster Default Master Username
Ensure that your AWS Redshift database clusters are using custom master user names instead of the default master user name (i.e. "awsuser") in order to add an additional layer of defense against non-targeted attacks.
Changing the default master user name for Redshift database clusters represents a basic security measure, therefore it will improve the overall security, however, this measure does not fully protect against attackers that can guess or obtain the database user names using social engineering techniques. To implement advanced Redshift database security, you should restrict the root account only to privileged users, use strong and complex passwords and grant permissions to trusted users only at the database level.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using the default master user name to access your Redshift database clusters represent a potential security concern. Changing the master user name ("awsuser") will add an extra layer of security, protecting your publicly accessible Amazon Redshift clusters against hacking.
Audit
To determine if your existing Redshift database clusters are using the default master user name, perform the following:
Using AWS Console
01 Sign in to AWS Management Console.
02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.
03 In the left navigation panel, under Redshift Dashboard, click Clusters.
04 Choose the Redshift cluster that you want to examine then click on its identifier/name link, listed in the Cluster column.
05 On the selected cluster configuration page, in the Cluster Database Properties section, verify the Master Username attribute value. If the value is set to awsuser, the selected Amazon Redshift cluster is using the default master user name for database access, therefore is vulnerable to hacking.
06 Repeat step no. 4 and 5 to verify the master user name for other Redshift database clusters provisioned in the current region.
07 Change the AWS region from the navigation bar and repeat the process for other regions.
Using AWS CLI
01 Run describe-clusters command (OSX/Linux/UNIX) using custom query filters to list the identifiers (names) of all Redshift clusters currently available in the selected region:
aws redshift describe-clusters --region us-east-1 --output table --query 'Clusters[*].ClusterIdentifier'
02 The command output should return a table with the requested database cluster names:
------------------------ | DescribeClusters | +----------------------+ | cc-prod-db-cluster | | cc-redshift-cluster | +----------------------+
03 Run again describe-clusters command (OSX/Linux/UNIX) using the name of cluster that you want to examine as identifier and custom query filters to expose the master user name used by the selected AWS Redshift database cluster:
aws redshift describe-clusters --region us-east-1 --cluster-identifier cc-prod-db-cluster --query 'Clusters[*].MasterUsername'
04 The command output should return the requested user name:
[ "awsuser" ]
If the command output returns "awsuser" as user name, the selected Amazon Redshift cluster is using the default master user name for database access, therefore is vulnerable to hacking via social engineering techniques.
05 Repeat step no. 3 and 4 to check the master user name for other AWS Redshift clusters provisioned in the current region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.
Remediation / Resolution
To change the default master user name for your existing Amazon Redshift database clusters, you must relaunch those clusters with a different master user name and migrate the existing data to the new clusters. To launch the new Redshift database clusters and move the existing data between databases, perform the following:
Using AWS Console
01 Sign in to AWS Management Console.
02 Navigate to Redshift dashboard at https://console.aws.amazon.com/redshift/.
03 In the left navigation panel, under Redshift Dashboard, click Clusters.
04 Click Launch Cluster button from the dashboard top menu to start the cluster setup process.
05 On the Cluster Details configuration page, enter a name for your new cluster in the Cluster Identifier field, type a unique (non-default) user name within Master user name field, then fill out the rest of the fields available on this page with the information taken from the existing cluster, launched with the default master user name (i.e. "awsuser").
06 Click the Continue button to continue the setup process.
07 On the Node Configuration page, select the appropriate node type for the new cluster from the Node Type dropdown list and configure the number of nodes used to match the existing database cluster configuration.
08 Click Continue to load the next page.
09 On the Additional Configuration page, perform the following actions:
- Within the first configuration section, select the parameter group to associate with the cluster from the Cluster Parameter Group dropdown list and make sure that the cluster database encryption configuration does match the existing Redshift cluster configuration.
- Within the Configure Networking Options section, provide the following information:
- Select the name of the Virtual Private Cloud in which you want to launch the cluster from the Choose a VPC dropdown list.
- Select the name of the subnet group that you want to assign to your cluster from the Cluster Subnet Group dropdown list.
- For Publicly Accessible, choose whether or not you want the cluster to be publicly accessible on the Internet. If you select Yes, you can also choose to attach an elastic IP (EIP) using the Choose a Public IP Address setting.
- For Enhanced VPC Routing, you can choose whether or not to enable the Enhanced VPC Routing feature that provides the capability to force all COPY/UNLOAD traffic between the cluster and your data repository through the VPC network selected above.
- Select the name of the availability zone in which you want to launch the cluster from the Availability Zone dropdown list.
- Select the appropriate security group(s) to associate with your new cluster from the VPC Security Groups list.
- (Optional) For Create CloudWatch Alarm, choose whether or not you want to create an AWS CloudWatch alarm to monitor the cluster disk usage.
- (Optional) Select an existing role from the AvailableRoles dropdown list if you need to associate an IAM role with your Redshift cluster.
10 Click Continue to load the next page.
11 On the Review page, review the new Redshift cluster properties, its database access details and the environment configuration details where it will be provisioned, then click Launch Cluster to launch the cluster.
12 On the confirmation page click Close to return to the Redshift dashboard. Once the Cluster Status value changes to available and the DB Health status changes to healthy, the new cluster can used to load the existing data from the old one (source cluster), launched with the default master user name.
13 Unload your data from the old Redshift cluster and reload it into the newly created database cluster using the Amazon Redshift Unload/Copy utility. With this utility tool you can unload (export) your data from the source cluster to an AWS S3 bucket, then import it into your destination (new) cluster and clean up the S3 bucket used. All the necessary instructions to install, configure and use the Amazon Redshift Unload/Copy tool can be found at this URL.
14 As soon as the data migration process is completed and all the data is loaded into the new Redshift cluster, you can update your application configuration to refer to the new cluster endpoint (e.g. cc-prod-db-new-cluster.cma5sgvy70dte.us-east-1.redshift.amazonaws.com).
15 Once the Redshift cluster endpoint is changed within your application configuration, it’s safe to remove the old database cluster from your AWS account by performing the following actions:
- In the navigation panel, under Redshift Dashboard, click Clusters.
- Choose the Redshift cluster that you want to remove then click on its identifier link available in the Cluster column.
- On the selected cluster Configuration tab, click the Cluster dropdown button from the dashboard main menu then select Delete from the dropdown list.
- Inside the Delete Cluster dialog box, enter a unique name for the final snapshot in the Snapshot name box then click Delete to confirm the action. Once the snapshot is created the selected cluster removal process begins.
16 Repeat steps no. 4 - 15 to relaunch other Redshift database clusters provisioned within the current region, with a non-default master user name.
17 Change the AWS region from the navigation bar and repeat the entire process for other regions.
Using AWS CLI
01 Run describe-clusters command (OSX/Linux/UNIX) to describe the configuration metadata for the AWS Redshift cluster that you want to relaunch (see Audit section part II to identify the right resource):
aws redshift describe-clusters --region us-east-1 --cluster-identifier cc-prod-db-cluster
02 The command output should return the requested configuration information which will be useful later when the new cluster will be created:
{ "Clusters": [ { "PubliclyAccessible": true, "MasterUsername": "awsuser", "VpcSecurityGroups": [ { "Status": "active", "VpcSecurityGroupId": "sg-541e2e7b" } ], "ClusterPublicKey": "ssh-rsa AAZZB3NzaC ... ", "NumberOfNodes": 1, "PendingModifiedValues": {}, "VpcId": "vpc-d731653f", "ClusterVersion": "1.0", "Tags": [], "AutomatedSnapshotRetentionPeriod": 1, "ClusterParameterGroups": [ { "ParameterGroupName": "default.redshift-1.0", "ParameterApplyStatus": "in-sync" } ], "DBName": "awsclusterdb", "PreferredMaintenanceWindow": "fri:03:00-fri:03:30", "Endpoint": { "Port": 5439, "Address": "cc-prod-db-cluster.dyupsgvyjhfo..." }, "IamRoles": [], "AllowVersionUpgrade": true, "ClusterCreateTime": "2017-01-12T17:44:12.654Z", "ClusterSubnetGroupName": "default", "ClusterSecurityGroups": [], "ClusterIdentifier": "cc-prod-db-cluster", "ClusterNodes": [ { "NodeRole": "SHARED", "PrivateIPAddress": "172.43.121.2", "PublicIPAddress": "52.201.107.154" } ], "AvailabilityZone": "us-east-1a", "NodeType": "ds2.xlarge", "Encrypted": false, "ClusterRevisionNumber": "1106", "ClusterStatus": "available" } ] }
03 Run create-cluster command (OSX/Linux/UNIX) using the existing database cluster configuration details returned at the previous step to launch a new Amazon Redshift cluster with a different (non-default) master user name:
aws redshift create-cluster --region us-east-1 --cluster-identifier cc-prod-db-new-cluster --cluster-type single-node --node-type ds2.xlarge --db-name awsclusterdb --master-username awsmasterusr --master-user-password Pr0Dclusterpwd0 --vpc-security-group-ids sg-541e2e7b --availability-zone us-east-1a --port 5439 --cluster-subnet-group-name default --cluster-parameter-group-name default.redshift-1.0 --publicly-accessible --allow-version-upgrade
04 The command output should return the new Redshift cluster configuration metadata:
{ "Cluster": { "PubliclyAccessible": true, "MasterUsername": "awsmasterusr", "DBName": "awsclusterdb", "PreferredMaintenanceWindow": "fri:06:00-fri:06:30", "IamRoles": [], "AllowVersionUpgrade": true, ... "ClusterSubnetGroupName": "default", "ClusterSecurityGroups": [], "ClusterIdentifier": "cc-prod-db-new-cluster", "AvailabilityZone": "us-east-1a", "NodeType": "ds2.xlarge", "Encrypted": false, "ClusterStatus": "creating" } }
05 Run again describe-clusters command (OSX/Linux/UNIX) using custom query filters to expose the new Redshift database cluster endpoint:
aws redshift describe-clusters --region us-east-1 --cluster-identifier cc-prod-db-new-cluster --query 'Clusters[*].Endpoint.Address'
06 The command output should return the new database cluster endpoint URL:
[ "cc-prod-db-new-cluster.dyupsgvyjhfo.us-east-1.redshift.amazonaws.com" ]
07 Unload your data from the old Redshift cluster and reload it into the newly created database cluster using the Amazon Redshift Unload/Copy utility. With this utility tool you can unload (export) your data from the source cluster to an AWS S3 bucket, then import it into your destination (new) cluster and clean up the S3 bucket used. All the necessary instructions to install, configure and use the Amazon Redshift Unload/Copy tool can be found at this URL.
08 As soon as the data migration process is completed and all the data is loaded into the new Redshift cluster, you can update your application configuration to refer to the new cluster endpoint, returned at step no. 6 (e.g. cc-prod-db-new-cluster.dyupsgvyjhfo.us-east-1.redshift.amazonaws.com).
09 Once the Redshift cluster endpoint is changed within your application configuration, run delete-cluster command (OSX/Linux/UNIX) to remove the source (old) cluster from your AWS account:
aws redshift delete-cluster --region us-east-1 --cluster-identifier cc-prod-db-cluster --final-cluster-snapshot-identifier cc-prod-db-cluster-final-snapshot
10 The command output should return the metadata of the Redshift cluster selected for deletion:
{ "Cluster": { "PubliclyAccessible": true, "MasterUsername": "awsmasterusr", "PendingModifiedValues": {}, "VpcId": "vpc-d731653f", "ClusterVersion": "1.0", "AutomatedSnapshotRetentionPeriod": 1, ... "ClusterSubnetGroupName": "default", "ClusterSecurityGroups": [], "ClusterIdentifier": "cc-prod-db-cluster", "AvailabilityZone": "us-east-1a", "NodeType": "ds2.xlarge", "Encrypted": false, "ClusterStatus": "final-snapshot" } }
11 Repeat steps no. 1 - 10 to relaunch other Redshift database clusters available within the current region, with a non-default master user name.
12 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 11 for other regions.
References
- AWS Documentation
- Managing Database Security
- Users
- Superusers
- Amazon Redshift Clusters
- Managing Clusters Using the Console
- Manage Clusters Using the Amazon Redshift CLI and API
- AWS Command Line Interface (CLI) Documentation
- redshift
- describe-clusters
- create-cluster
- delete-cluster