Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Redshift

Redshift.8: Redshift should not use the default admin username

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Redshift.8 check?

Redshift.8 fails any cluster whose master username is the well-known default awsuser. Tutorials, quick-start templates, and clusters launched without an explicit username commonly end up with this name.

Why does Redshift.8 matter?

Half of any credential attack is guessing the username; a publicly documented admin name like awsuser hands attackers that half for free and lets them spend every attempt on the password. The master account can read and write every table, manage users, and alter the cluster, so a guessed password on a known name is full compromise.

How do I fix Redshift.8?

  1. Set a non-default, non-guessable master username when creating the cluster.
  2. Because the username is immutable, migrate existing awsuser clusters: snapshot, restore (or recreate) with a new admin name, and cut over.
  3. Enforce a non-default username in shared templates and runbooks so new clusters never inherit awsuser.
  4. Pair the rename with least-privilege roles for day-to-day query access.

Remediation script · bash

# Move the highest-impact databases onto IAM authentication first (free, no reboot).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?IAMDatabaseAuthenticationEnabled==`false`].DBInstanceIdentifier' \
    --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --enable-iam-database-authentication --apply-immediately
  echo "$db: IAM database authentication enabled"
done

# Find every instance still using a default admin username (immutable; needs migration).
aws rds describe-db-instances \
  --query "DBInstances[?contains(['admin','postgres','root','sa','master','mysql','dbadmin'], MasterUsername)].[DBInstanceIdentifier,MasterUsername]" \
  --output table

# Recreate one of those with a non-default master username set explicitly at creation.
aws rds restore-db-cluster-from-snapshot \
  --db-cluster-identifier prod-orders-db-v2 \
  --snapshot-identifier prod-orders-db-pre-rename \
  --engine aurora-postgresql

Full walkthrough (console steps, edge cases and verification) in the lesson Harden database auth, ports and access.

Is Redshift.8 a false positive?

You cannot rename the admin user on a running cluster — the master username is fixed at creation, so there is no in-place fix. The control is really telling you to set it correctly on the next build.

Full lesson Harden database auth, ports and access Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Redshift controls ↗ Check your own account for Redshift.8 →
Part of the learning path Tighten your databases

More Redshift controls

  • Redshift.1 A Redshift cluster is publicly accessible
  • Redshift.2 Connections to Redshift should be encrypted in transit
  • Redshift.3 Redshift clusters should have automatic snapshots
  • Redshift.4 Redshift clusters should have audit logging
  • Redshift.6 Redshift should auto-upgrade major versions
  • Redshift.7 Redshift clusters should use enhanced VPC routing
  • Redshift.10 Redshift clusters should be encrypted at rest
  • Redshift.15 Redshift accepts cluster-port traffic from anywhere
  • Redshift.16 Redshift subnet groups should span multiple AZs
  • Redshift.18 Redshift clusters should have Multi-AZ enabled