turbot/steampipe-mod-aws-compliance

Control: 5 Redshift Serverless namespaces should not use the default admin username

Description

This control checks whether the admin username for an Amazon Redshift Serverless namespace is the default admin username, admin. The control fails if the admin username for the Redshift Serverless namespace is admin. You can optionally specify a list of admin usernames for the control to include in the evaluation.

When creating an Amazon Redshift Serverless namespace, you should specify a custom admin username for the namespace. The default admin username is public knowledge. By specifying a custom admin username, you can, for example, help mitigate the risk or effectiveness of brute force attacks against the namespace.

Remediation

You can change the admin username for an Amazon Redshift Serverless namespace by using the Amazon Redshift Serverless console or API. To change it by using the console, choose the namespace configuration, and then choose Edit admin credentials on the Actions menu. To change it programmatically, use the UpdateNamespace operation or, if you’re using the AWS CLI, run the update-namespace command. If you change the admin username, you must also change the admin password at the same time.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_redshiftserverless_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_redshiftserverless_5 --share

SQL

This control uses a named query:

select
namespace_arn as resource,
case
when admin_username = 'admin' then 'alarm'
else 'ok'
end as status,
case
when admin_username = 'admin' then title || ' uses default admin username.'
else title || ' not uses default admin username.'
end as reason
, region, account_id
from
aws_redshiftserverless_namespace;

Tags