Redshift.1: A Redshift cluster is publicly accessible

What does AWS Security Hub Redshift.1 check?

Redshift.1 evaluates the PubliclyAccessible attribute on every Redshift cluster and fails any cluster where it is set to true. A public cluster gets an internet-routable endpoint; the control is change-triggered, so it re-evaluates the moment a cluster is created or modified.

Why does Redshift.1 matter?

A Redshift warehouse is where an organisation's most concentrated data lands — consolidated customer records, financials, joined-up analytics. Making it publicly reachable removes network isolation, the single biggest barrier, leaving only the database credential between an attacker and the whole dataset. Public endpoints are found by credential-stuffing bots and scanners within hours of exposure.

How do I fix Redshift.1?

1. Set PubliclyAccessible to false with modify-cluster, or recreate the cluster as private.
2. Place the cluster in private subnets and reach it through a VPN, Direct Connect, or bastion.
3. Restrict the cluster's security group to known internal CIDRs and application sources.
4. Add a Config rule or SCP so no future cluster can be launched publicly.

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'