🚀 Launch Week 10, September 22nd - 26th, 2025 🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 3 Redshift Serverless workgroups should prohibit public access

Description

This control checks whether public access is disabled for an Amazon Redshift Serverless workgroup. It evaluates the publiclyAccessible property of a Redshift Serverless workgroup. The control fails if public access is enabled (true) for the workgroup.

The public access (publiclyAccessible) setting for an Amazon Redshift Serverless workgroup specifies whether the workgroup can be accessed from a public network. If public access is enabled (true) for a workgroup, Amazon Redshift creates an Elastic IP address that makes the workgroup publicly accessible from outside the VPC. If you don't want a workgroup to be publicly accessible, disable public access for it.

Remediation

For information about changing the public access setting for an Amazon Redshift Serverless workgroup, see Viewing the properties for a workgroup in the Amazon Redshift Management Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_redshiftserverless_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_redshiftserverless_3 --share

SQL

This control uses a named query:

select
  workgroup_arn as resource,
  case
    when not publicly_accessible then 'ok'
    else 'alarm'
  end as status,
  case
    when not publicly_accessible  then title || ' restrict public access.'
    else title || ' allow public access.'
  end as reason
  
  , region, account_id
from
  aws_redshiftserverless_workgroup;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = resources_not_publicly_accessible
foundational_security_item_id = redshiftserverless_3
plugin = aws
service = AWS/RedshiftServerless