Redshift.15: Redshift accepts cluster-port traffic from anywhere

What does AWS Security Hub Redshift.15 check?

Redshift.15 checks the security groups attached to a cluster and fails when ingress to the cluster port is open to 0.0.0.0/0. It is looking specifically for an allow-the-world rule on the database port rather than the cluster's PubliclyAccessible flag.

Why does Redshift.15 matter?

An open cluster port leaves only the database credential between every port scanner and bot on the internet and your warehouse — no network boundary, no allow-list. These rules almost always creep in as a temporary "just get it working" change that never gets reverted. Redshift.15 maps directly to PCI DSS v4.0.1 requirement 1.3.1.

How do I fix Redshift.15?

1. Identify the security group rule opening the cluster port (default 5439) to 0.0.0.0/0 and remove it.
2. Replace it with rules scoped to specific application security groups or known internal CIDRs.
3. Front any external access with a VPN, Direct Connect, or bastion rather than a public ingress rule.
4. Add a guardrail (Config rule or SCP) to block 0.0.0.0/0 on data-store ports going forward.

# Revoke an over-open admin rule, covering both IPv4 and IPv6 in one call.
aws ec2 revoke-security-group-ingress --group-id sg-0a1b2c3d \
  --ip-permissions 'IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges=[{CidrIp=0.0.0.0/0}],Ipv6Ranges=[{CidrIpv6=::/0}]'

# Where access is genuinely needed, re-add it scoped to a source security group, not a CIDR.
aws ec2 authorize-security-group-ingress --group-id sg-0a1b2c3d \
  --ip-permissions 'IpProtocol=tcp,FromPort=6379,ToPort=6379,UserIdGroupPairs=[{GroupId=sg-0app1234,Description=app-tier}]'

# Strip a default security group to empty by feeding its current rules back into revoke.
INGRESS=$(aws ec2 describe-security-groups --group-ids sg-0default01 \
  --query 'SecurityGroups[0].IpPermissions')
[ "$INGRESS" != "[]" ] && aws ec2 revoke-security-group-ingress \
  --group-id sg-0default01 --ip-permissions "$INGRESS"