Skip to content

Redshift cluster should be deployed into a specific VPC

Default Severity: high

Explanation

Redshift clusters that are created without subnet details will be created in EC2 classic mode, meaning that they will be outside of a known VPC and running in tenant.

In order to benefit from the additional security features achieved with using an owned VPC, the subnet should be set.

Possible Impact

Redshift cluster does not benefit from VPC security if it is deployed in EC2 classic mode

Suggested Resolution

Deploy Redshift cluster into a non default VPC

Insecure Example

The following example will fail the aws-redshift-use-vpc check.

 resource "aws_redshift_cluster" "bad_example" {
    cluster_identifier = "tf-redshift-cluster"
    database_name      = "mydb"
    master_username    = "foo"
    master_password    = "Mustbe8characters"
    node_type          = "dc1.large"
    cluster_type       = "single-node"
 }

Secure Example

The following example will pass the aws-redshift-use-vpc check.

 resource "aws_redshift_cluster" "good_example" {
    cluster_identifier = "tf-redshift-cluster"
    database_name      = "mydb"
    master_username    = "foo"
    master_password    = "Mustbe8characters"
    node_type          = "dc1.large"
    cluster_type       = "single-node"

    cluster_subnet_group_name = "redshift_subnet"
 }