AWS Config Rule: Redshift Default Admin Check

Description: Checks if an Amazon Redshift cluster has changed the admin username from its default value. The rule is NON_COMPLIANT if the admin username for a Redshift cluster is set to “awsuser” or if the username does not match what is listed in parameter.

Trigger type: Configuration changes

AWS Region: All supported AWS regions except China (Beijing), AWS GovCloud (US-East), AWS GovCloud (US-West), Israel (Tel Aviv), China (Ningxia) Region

A general security recommendation is not to use the default admin usernames for resources. This rule checks that 'awsuser' username are not being used for any of the Redshift Clusters. If the username is found in any of the Clusters the rule will be marked as non-compliant.

To check the current admin username of a cluster, head on over to AWS Console, go to Redshift and click on Clusters from within the left menu. Check that any of the listed DB Clusters have the admin username different than 'awsuser' in order to make the resource compliant. Check the following screenshot as a reference:

AWS indicates in the documentation that you cannot change the admin username for your Amazon Redshift cluster after it is created. You need to create a new cluster with the custom admin username, so you will have to develop an appropriate process that fits the needs of your current infrastructure.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here