Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security Hub controls for Amazon Redshift Serverless

These Amazon Security Hub controls evaluate the Amazon Redshift Serverless service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see Availability of controls by Region.

[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing

Category: Protect > Secure network configuration > Resources within VPC

Severity: High

Resource type: AWS::RedshiftServerless::Workgroup

Amazon Config rule: redshift-serverless-workgroup-routes-within-vpc

Schedule type: Periodic

Parameters: None

This control checks whether enhanced VPC routing is enabled for an Amazon Redshift Serverless workgroup. The control fails if enhanced VPC routing is disabled for the workgroup.

If enhanced VPC routing is disabled for an Amazon Redshift Serverless workgroup, Amazon Redshift routes traffic through the internet, including traffic to other services within the Amazon network. If you enable enhanced VPC routing for a workgroup, Amazon Redshift forces all COPY and UNLOAD traffic between your cluster and your data repositories through your virtual private cloud (VPC) based on the Amazon VPC service. With enhanced VPC routing, you can use standard VPC features to control the flow of data between your Amazon Redshift cluster and other resources. This includes features such as VPC security groups and endpoint policies, network access control lists (ACLs), and Domain Name System (DNS) servers. You can also use VPC flow logs to monitor COPY and UNLOAD traffic.

Remediation

For more information about enhanced VPC routing and how to enable it for a workgroup, see Controlling network traffic with Redshift enhanced VPC routing in the Amazon Redshift Management Guide.

[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL

Category: Protect > Data Protection > Encryption of data-in-transit

Severity: Medium

Resource type: AWS::RedshiftServerless::Workgroup

Amazon Config rule: redshift-serverless-workgroup-encrypted-in-transit

Schedule type: Periodic

Parameters: None

This control checks whether connections to an Amazon Redshift Serverless workgroup are required to encrypt data in transit. The control fails if the require_ssl configuration parameter for the workgroup is set to false.

An Amazon Redshift Serverless workgroup is a collection of compute resources that groups together compute resources like RPUs, VPC subnet groups, and security groups. Properties of a workgroup include network and security settings. These settings specify whether connections to a workgroup should be required to use SSL to encrypt data in transit.

Remediation

For information about updating the settings for an Amazon Redshift Serverless workgroup to require SSL connections, see Connecting to Amazon Redshift Serverless in the Amazon Redshift Management Guide.

[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access

Category: Protect > Secure network configuration > Resources not publicly accessible

Severity: High

Resource type: AWS::RedshiftServerless::Workgroup

Amazon Config rule: redshift-serverless-workgroup-no-public-access

Schedule type: Periodic

Parameters: None

This control checks whether public access is disabled for an Amazon Redshift Serverless workgroup. It evaluates the publiclyAccessible property of a Redshift Serverless workgroup. The control fails if public access is enabled (true) for the workgroup.

The public access (publiclyAccessible) setting for an Amazon Redshift Serverless workgroup specifies whether the workgroup can be accessed from a public network. If public access is enabled (true) for a workgroup, Amazon Redshift creates an Elastic IP address that makes the workgroup publicly accessible from outside the VPC. If you don't want a workgroup to be publicly accessible, disable public access for it.

Remediation

For information about changing the public access setting for an Amazon Redshift Serverless workgroup, see Viewing the properties for a workgroup in the Amazon Redshift Management Guide.

[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed Amazon KMS keys

Related requirements: NIST.800-53.r5 AU-9, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SC-12(2), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SI-7(6)

Category: Protect > Data Protection > Encryption of data-at-rest

Severity: Medium

Resource type: AWS::RedshiftServerless::Namespace

Amazon Config rule: redshift-serverless-namespace-cmk-encryption

Schedule type: Periodic

Parameters:

This control checks whether an Amazon Redshift Serverless namespace is encrypted at rest with a customer managed Amazon KMS key. The control fails if the Redshift Serverless namespace isn't encrypted with a customer managed KMS key. You can optionally specify a list of KMS keys for the control to include in the evaluation.

In Amazon Redshift Serverless, a namespace defines a logical container for database objects. This control periodically checks whether the encryption settings for a namespace specify a customer managed Amazon KMS key, instead of an Amazon managed KMS key, for encryption of data in the namespace. With a customer managed KMS key, you have full control of the key. This includes defining and maintaining the key policy, managing grants, rotating cryptographic material, assigning tags, creating aliases, and enabling and disabling the key.

Remediation

For information about updating the encryption settings for an Amazon Redshift Serverless namespace and specifying a customer managed Amazon KMS key, see Changing the Amazon KMS key for a namespace in the Amazon Redshift Management Guide.

[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username

Category: Identify > Resource configuration

Severity: Medium

Resource type: AWS::RedshiftServerless::Namespace

Amazon Config rule: redshift-serverless-default-admin-check

Schedule type: Periodic

Parameters:

This control checks whether the admin username for an Amazon Redshift Serverless namespace is the default admin username, admin. The control fails if the admin username for the Redshift Serverless namespace is admin. You can optionally specify a list of admin usernames for the control to include in the evaluation.

When creating an Amazon Redshift Serverless namespace, you should specify a custom admin username for the namespace. The default admin username is public knowledge. By specifying a custom admin username, you can, for example, help mitigate the risk or effectiveness of brute force attacks against the namespace.

Remediation

You can change the admin username for an Amazon Redshift Serverless namespace by using the Amazon Redshift Serverless console or API. To change it by using the console, choose the namespace configuration, and then choose Edit admin credentials on the Actions menu. To change it programmatically, use the UpdateNamespace operation or, if you’re using the Amazon CLI, run the update-namespace command. If you change the admin username, you must also change the admin password at the same time.

[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs

Category: Identify > Logging

Severity: Medium

Resource type: AWS::RedshiftServerless::Namespace

Amazon Config rule: redshift-serverless-publish-logs-to-cloudwatch

Schedule type: Periodic

Parameters: None

This control checks whether an Amazon Redshift Serverless namespace is configured to export connection and user logs to Amazon CloudWatch Logs. The control fails if the Redshift Serverless namespace isn't configured to export the logs to CloudWatch Logs.

If you configure Amazon Redshift Serverless to export connection log (connectionlog) and user log (userlog) data to a log group in Amazon CloudWatch Logs, you can collect and store your log records in durable storage, which can support security, access, and availability reviews and audits. With CloudWatch Logs, you can also perform real-time analysis of log data and use CloudWatch to create alarms and review metrics.

Remediation

To export log data for an Amazon Redshift Serverless namespace to Amazon CloudWatch Logs, the respective logs must be selected for export in the audit logging configuration settings for the namespace. For information about updating these settings, see Editing security and encryption in the Amazon Redshift Management Guide.

[RedshiftServerless.7] Redshift Serverless namespaces should not use the default database name

Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2

Category: Identify > Resource configuration

Severity: Medium

Resource type: AWS::RedshiftServerless::Namespace

Amazon Config rule: redshift-serverless-default-db-name-check

Schedule type: Periodic

Parameters: None

This control checks whether an Amazon Redshift Serverless namespace uses the default database name, dev. The control fails if the Redshift Serverless namespace uses the default database name, dev.

When creating an Amazon Redshift Serverless namespace, you should specify a unique, custom value for the database name and not use the default database name, which is dev. The default database name is public knowledge. By specifying a different database name, you can mitigate risks such as unauthorized users inadvertently gaining access to data in the namespace.

Remediation

You can't change the database name for an Amazon Redshift Serverless namespace after you create the namespace. You can, however, specify a custom database name for a Redshift Serverless namespace when you create the namespace. For information about creating a namespace, see Workgroups and namespaces in the Amazon Redshift Management Guide.