Skip to content

Ensure the default user is not used

Description

Ensures that Redshift clusters do not have any users with username "awsuser". Redshift clusters will be created with the default username "awsuser" unless custom user names are provided.

Rationale

The use of the default username makes it more likely that scraping software will guess the master username. Selecting a custom username ensures that attackers must obtain a username and password pair, preventing a brute force attack on the password. This offers more security for the master account.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service redshift

Default Rule

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if redshift instance is not using 'awsuser' as master username
 */
function validate(databaseSettings) {
    const defaultUser = "awsuser"
    const success = databaseSettings.awsDatabaseInstance &&
                    databaseSettings.awsDatabaseInstance.redshiftCluster &&
                    databaseSettings.awsDatabaseInstance.redshiftCluster.masterUsername !== defaultUser

    return {
        success,
    }
}

// invoke
validate(databaseSettings);