Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Redshift

Redshift.7: Redshift clusters should use enhanced VPC routing

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Redshift.7 check?

Redshift.7 checks the EnhancedVpcRouting field on a cluster and fails when it is false. Enhanced VPC routing forces COPY and UNLOAD traffic to S3, DynamoDB, and other repositories through your VPC rather than over the public AWS network.

Why does Redshift.7 matter?

COPY and UNLOAD are typically the largest, most data-rich movements in a warehouse — full table loads and bulk exports. With enhanced routing off, that traffic can travel outside your VPC, out of reach of your security groups, NACLs, and flow logs, leaving a monitoring blind spot. The control maps to the NIST 800-53 SC-7 boundary-protection family.

How do I fix Redshift.7?

  1. Set EnhancedVpcRouting to true on the cluster.
  2. Create the VPC endpoints the cluster needs (a Gateway Endpoint for S3, interface endpoints for others).
  3. Verify COPY/UNLOAD jobs still reach their targets through the VPC path before relying on it.
  4. Use VPC endpoint policies to constrain which buckets the cluster may talk to.

Remediation script · bash

# Move the highest-impact case first: an RDS instance in a public subnet group.
aws rds create-db-subnet-group \
  --db-subnet-group-name prod-db-subnets-private \
  --db-subnet-group-description "Private subnets only - no IGW route" \
  --subnet-ids subnet-0aa11bb22cc33dd44 subnet-0ee55ff66aa77bb88

aws rds modify-db-instance \
  --db-instance-identifier prod-payments-db \
  --db-subnet-group-name prod-db-subnets-private \
  --apply-immediately

# Provide a private path before moving compute, so it can still reach AWS services.
# A free S3 gateway endpoint, or a narrow interface endpoint instead of a NAT gateway.
aws ec2 create-vpc-endpoint --vpc-id vpc-0a1b2c3d \
  --vpc-endpoint-type Interface \
  --service-name com.amazonaws.us-east-1.ssm \
  --subnet-ids subnet-0aa11 subnet-0bb22 \
  --security-group-ids sg-0ccfn33 --private-dns-enabled

# Force Redshift bulk traffic through the VPC (confirm an S3 gateway endpoint exists first).
aws redshift modify-cluster \
  --cluster-identifier analytics-prod --enhanced-vpc-routing

Full walkthrough (console steps, edge cases and verification) in the lesson Move resources into private networks (VPC isolation).

Is Redshift.7 a false positive?

Turning this on can break COPY/UNLOAD jobs if the matching VPC endpoints or NAT routing aren't in place — test connectivity rather than assuming it's a no-op flag flip.

Full lesson Move resources into private networks (VPC isolation) Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Redshift controls ↗ Check your own account for Redshift.7 →
Part of the learning path Tighten your databases

More Redshift controls

  • Redshift.1 A Redshift cluster is publicly accessible
  • Redshift.2 Connections to Redshift should be encrypted in transit
  • Redshift.3 Redshift clusters should have automatic snapshots
  • Redshift.4 Redshift clusters should have audit logging
  • Redshift.6 Redshift should auto-upgrade major versions
  • Redshift.8 Redshift should not use the default admin username
  • Redshift.10 Redshift clusters should be encrypted at rest
  • Redshift.15 Redshift accepts cluster-port traffic from anywhere
  • Redshift.16 Redshift subnet groups should span multiple AZs
  • Redshift.18 Redshift clusters should have Multi-AZ enabled