Ensure that your AWS Redshift database clusters are not using their default endpoint port (i.e. 5439) in order to promote port obfuscation as an additional layer of defense against non-targeted attacks.
Changing the default port number for Redshift database clusters represents a basic security measure and does not completely secure the clusters from port scanning and network attacks. To implement advanced Redshift database security, you should look into security measures such as restricting public access, controlling clusters access through security groups and Network Access Control Lists (NACLs) and encrypting the client connections to the database clusters using SSL.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Running your Redshift database clusters on the default port represent a potential security concern. Replacing the default port number (5439) with a custom one will add an extra layer of security, protecting your publicly accessible Amazon Redshift clusters from brute-force and dictionary attacks.
To determine if your existing Redshift database clusters are using their default port (i.e. port on which the Redshift databases accept connections), perform the following:
To change the default port number for your existing Amazon Redshift database clusters, perform the following steps: