Redshift Credentials
Service Name: Amazon Redshift
Service Description: Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. It enables you to analyze all your data using standard SQL and your existing business intelligence tools.
Service Address: https://aws.amazon.com/redshift/
Validation Type: API Auth
IP Allow list: IP Restriction is available at the cluster level using Security Groups and VPC configurations.
Secret Access Scope: Grants access to Redshift clusters, allowing query execution, data manipulation, and potentially administrative operations depending on the user's permissions.
Secret Revokement URL: https://docs.aws.amazon.com/redshift/latest/mgmt/generating-user-credentials.html
Secret Example: jdbc:redshift://examplecluster.abc123xyz789.us-west-2.redshift.amazonaws.com:5439/dev?user=awsuser&password=MyP@ssw0rd123
Suspicious Activity Investigation Instructions:
-
Review Redshift audit logs for unusual query patterns or data access
-
Check AWS CloudTrail for Redshift API calls from unexpected sources
-
Monitor for large data transfers or unusual export operations
-
Examine user login history for access from unusual locations or times
-
Review any schema or permission changes made by the compromised credentials
Mitigation Instructions:
-
Immediately change the password for the affected user in the AWS Redshift console
-
Consider temporarily disabling the user account while investigating
-
Rotate any other credentials that might have been exposed
-
Review and restrict Security Group rules to limit access to trusted IP addresses
-
Enable enhanced VPC routing if not already enabled
-
Implement multi-factor authentication for database access if possible
-
Review IAM policies associated with Redshift access
-
Check for any unauthorized clusters or snapshots that may have been created
-
Update connection strings in applications to use the new credentials