Control: 3 Redshift Serverless workgroups should prohibit public access
Description
This control checks whether public access is disabled for an Amazon Redshift Serverless workgroup. It evaluates the publiclyAccessible property of a Redshift Serverless workgroup. The control fails if public access is enabled (true) for the workgroup.
The public access (publiclyAccessible) setting for an Amazon Redshift Serverless workgroup specifies whether the workgroup can be accessed from a public network. If public access is enabled (true) for a workgroup, Amazon Redshift creates an Elastic IP address that makes the workgroup publicly accessible from outside the VPC. If you don't want a workgroup to be publicly accessible, disable public access for it.
Remediation
For information about changing the public access setting for an Amazon Redshift Serverless workgroup, see Viewing the properties for a workgroup in the Amazon Redshift Management Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_redshiftserverless_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_redshiftserverless_3 --share
SQL
This control uses a named query:
select workgroup_arn as resource, case when not publicly_accessible then 'ok' else 'alarm' end as status, case when not publicly_accessible then title || ' restrict public access.' else title || ' allow public access.' end as reason , region, account_idfrom aws_redshiftserverless_workgroup;