Skip to content

Ensure cluster is within a VPC

Description

Ensures that Redshift clusters belong to a Virtual Private Cloud (VPC). Amazon Redshift instances can be deployed in a VPC, a service which allows you to build a virtual network which is logically isolated in the AWS Cloud.

If deployed, this service offers the following components:

  • A VPC
  • Subnet
  • Internet Gateway
  • NAT Gateway
  • Virtual private gateway
  • Peering Connection
  • VPC Endpoints
  • Egress-only Internet Gateway

Rationale

Deploying a Redshift cluster within a VPC instead of EC2 classic allows for stronger controls over network access. VPCs provide more advanced and granular security controls over their services, including how the services are exposed to the internet. This can help to decrease the number of attack vectors on the cluster.

More information about VPCs can be found at https://aws.amazon.com/vpc/.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service redshift

Default Rule

const { isEmpty } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if cluster is in a VPC
 */
function validate(databaseSettings) {
    const success = databaseSettings.awsDatabaseInstance &&
                    databaseSettings.awsDatabaseInstance.redshiftCluster &&
                    !isEmpty(databaseSettings.awsDatabaseInstance.redshiftCluster.vpcId)

    return {
        success,
    }
}

// invoke
validate(databaseSettings);