Skip to main content
CRITICALRedshiftSecurity

Redshift Publicly Accessible

redshift-publicly-accessible

What this rule checks

Detects Redshift clusters reachable from the public internet.

How to fix it

  1. 1Set PubliclyAccessible: false
  2. 2Use VPC endpoints, bastion hosts, or VPN for access
FlaggedpubliclyAccessible true exposes the Redshift cluster endpoint to the public internet.
import { aws_ec2 as ec2, aws_redshift as redshift } from 'aws-cdk-lib';

const vpc = new ec2.Vpc(this, 'Vpc');

new redshift.CfnCluster(this, 'Cluster', {
  clusterType: 'single-node',
  nodeType: 'ra3.xlplus',
  masterUsername: 'admin',
  masterUserPassword: '{{resolve:secretsmanager:redshift:SecretString:password}}',
  dbName: 'analytics',
  publiclyAccessible: true,
});
FixedThe cluster is placed in a private subnet group with publiclyAccessible false, keeping its endpoint inside the VPC.
import { aws_ec2 as ec2, aws_redshift as redshift } from 'aws-cdk-lib';

const vpc = new ec2.Vpc(this, 'Vpc');
const subnetGroup = new redshift.CfnClusterSubnetGroup(this, 'SubnetGroup', {
  description: 'Private subnets',
  subnetIds: vpc.privateSubnets.map((s) => s.subnetId),
});

new redshift.CfnCluster(this, 'Cluster', {
  clusterType: 'single-node',
  nodeType: 'ra3.xlplus',
  masterUsername: 'admin',
  masterUserPassword: '{{resolve:secretsmanager:redshift:SecretString:password}}',
  dbName: 'analytics',
  clusterSubnetGroupName: subnetGroup.ref,
  publiclyAccessible: false,
});

CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.

Affected resource types

AWS::Redshift::Cluster

Compliance frameworks

SOC2HIPAAPCI-DSSCISNIST

AWS documentation

Read the AWS guidance

Intentional? Suppress this finding

Sometimes a flag is deliberate โ€” a genuinely public endpoint, say. You can dismiss redshift-publicly-accessible and the reason is kept in the report, not silently hidden.

In .cdk-insights.json:

{
  "ignoreRules": [
    { "id": "redshift-publicly-accessible", "reason": "Why this is intentional" }
  ]
}

Or inline in your CDK code:

Validations.of(scope).acknowledge({
  id: 'cdk-insights::redshift-publicly-accessible',
  reason: 'Why this is intentional',
});

Use the rule ID redshift-publicly-accessible shown above โ€” not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs โ†’

Catch this in your stack

$ npx cdk-insights scan

CDK Insights runs this and 118+ other rules locally against your synthesised CDK app โ€” free, no account, your code never leaves your machine.

More Redshift rules