Lensix
Back to blog
AWSBest PracticesCloud SecurityDatabasesIdentity & Access

Redshift Using Default Master Username: Why awsuser Is a Risk and How to Fix It

Amazon Redshift clusters using the default master username awsuser give attackers half a credential pair for free. Learn why it matters and how to fix it.

TL;DR

This check flags Amazon Redshift clusters that still use the default master username awsuser. A predictable admin username gives attackers half of the credential pair for free, so create your cluster with a custom master username instead. Since the master username cannot be changed after launch, fixing it means provisioning a new cluster.

When you spin up a Redshift cluster and accept the defaults, the master account gets named awsuser. It works, the cluster launches, and you move on. The problem is that awsuser is the same default everyone else gets, which makes it a known quantity to anyone probing your environment. This check catches clusters running with that default and nudges you toward a username that is not sitting in every brute-force wordlist.

What this check detects

The redshift_defaultusername check inspects each Redshift cluster in your account and reports any cluster whose master username is set to the AWS default value awsuser. It is a straightforward string comparison against the MasterUsername attribute returned by the Redshift API.

The master user is the superuser of the cluster. It owns the initial database and has full administrative rights, including the ability to create other users, grant privileges, and read every table. Leaving it named awsuser means the most powerful account on the cluster has a publicly known name.

Note: The master username is set at cluster creation and is immutable. Unlike the master password, which you can rotate freely, you cannot rename the master user on an existing cluster. This is why the fix involves creating a new cluster rather than editing the current one.

Why it matters

Authentication has two parts: the username and the secret. When the username is predictable, an attacker only needs to crack one of them. Treating the username as a second factor of obscurity is weak on its own, but a custom username does meaningfully raise the cost of automated attacks.

Here is how a default username plays into real attack paths:

  • Credential stuffing and brute force. Automated tools that scan exposed databases default to common usernames. awsuser is one of them. Every guess they make is now correct on the username side, so all their effort goes into the password.
  • Publicly reachable clusters. If a cluster ends up with a public IP and an overly permissive security group, the combination of a known username and a weak or leaked password becomes an open door.
  • Phishing and social engineering. An attacker who knows your clusters use awsuser can craft more convincing pretexts when targeting your engineers or support staff.
  • Audit and compliance findings. Frameworks like CIS benchmarks and internal security baselines frequently flag default account names. A default master user is an easy finding for an auditor to write up.

The business impact is the usual data warehouse story. Redshift clusters often hold aggregated analytics, customer records, and financial data pulled from across the organization. A compromise here is rarely a single table. It is the consolidated view of your business.

Warning: A custom username is not a substitute for the controls that actually matter, such as a strong rotated password, IAM-based authentication, private networking, and tight security groups. Treat it as one layer in defense in depth, not the whole defense.

How to fix it

Because the master username is immutable, remediation means standing up a new cluster with a non-default username and migrating to it. The cleanest path is snapshot, restore, validate, cut over.

Step 1: Snapshot the existing cluster

aws redshift create-cluster-snapshot \
  --snapshot-identifier pre-migration-snapshot \
  --cluster-identifier my-existing-cluster

Wait for the snapshot to reach the available state before continuing:

aws redshift describe-cluster-snapshots \
  --snapshot-identifier pre-migration-snapshot \
  --query 'Snapshots[0].Status'

Step 2: Restore into a new cluster

Restoring from a snapshot keeps the original master username, so a plain restore will not solve the problem. Instead, provision a fresh cluster with a custom master username, then load your data into it. For a fresh cluster:

aws redshift create-cluster \
  --cluster-identifier my-secure-cluster \
  --node-type ra3.xlplus \
  --number-of-nodes 2 \
  --master-username analytics_admin \
  --master-user-password 'CHANGE_ME_USE_SECRETS_MANAGER' \
  --db-name analytics \
  --cluster-subnet-group-name my-private-subnet-group \
  --vpc-security-group-ids sg-0123456789abcdef0 \
  --publicly-accessible false \
  --encrypted

Danger: Do not pass a real password as a plaintext CLI argument. It lands in your shell history and process listing. Generate the password in AWS Secrets Manager and reference it, or pass it through an environment variable you clear afterward.

Step 3: Migrate data with UNLOAD and COPY

Export from the old cluster to S3, then load into the new one. This avoids carrying the old master username along with a snapshot restore.

-- On the old cluster
UNLOAD ('SELECT * FROM analytics.public.events')
TO 's3://my-migration-bucket/events/'
IAM_ROLE 'arn:aws:iam::123456789012:role/RedshiftUnloadRole'
PARQUET;

-- On the new cluster
COPY analytics.public.events
FROM 's3://my-migration-bucket/events/'
IAM_ROLE 'arn:aws:iam::123456789012:role/RedshiftCopyRole'
FORMAT AS PARQUET;

Step 4: Validate, cut over, and decommission

Confirm row counts and run a few representative queries against the new cluster, repoint your applications and BI tools at the new endpoint, then delete the old cluster once you are confident.

Danger: Deleting a cluster is irreversible. Take a final snapshot and verify the new cluster is serving production traffic before you run this.

aws redshift delete-cluster \
  --cluster-identifier my-existing-cluster \
  --final-cluster-snapshot-identifier final-snapshot-before-delete

Tip: Use a username that describes the cluster's purpose rather than the person, such as warehouse_admin or etl_master. Avoid personal names so the account does not become orphaned when someone leaves.

How to prevent it from happening again

The reason clusters end up with awsuser is that someone accepted the default. The fix is to remove the ability to accept the default by codifying cluster creation.

Terraform with an explicit master username

resource "aws_redshift_cluster" "warehouse" {
  cluster_identifier = "my-secure-cluster"
  node_type          = "ra3.xlplus"
  number_of_nodes    = 2
  database_name      = "analytics"

  master_username    = "warehouse_admin"
  manage_master_password = true  # let AWS manage the password in Secrets Manager

  publicly_accessible = false
  encrypted           = true
  vpc_security_group_ids = [aws_security_group.redshift.id]
  cluster_subnet_group_name = aws_redshift_subnet_group.private.name
}

Block the default in CI with OPA or Checkov

Add a policy-as-code gate so a plan with awsuser never merges. A Conftest/OPA rule:

package terraform.redshift

deny[msg] {
  resource := input.resource_changes[_]
  resource.type == "aws_redshift_cluster"
  username := resource.change.after.master_username
  username == "awsuser"
  msg := sprintf("Redshift cluster '%s' uses the default master username 'awsuser'", [resource.address])
}

Wire it into your pipeline so the check runs on every pull request:

terraform plan -out=plan.tfplan
terraform show -json plan.tfplan > plan.json
conftest test plan.json --policy ./policies

Tip: Pair the IaC gate with a continuous check in Lensix so drift gets caught even when a cluster is created outside your pipeline, for example through the console during an incident.

Best practices

  • Never accept identity defaults. Default usernames, default ports, and default database names all reduce the work an attacker has to do. Override them at creation.
  • Let AWS manage the master password. Use manage_master_password (or Secrets Manager integration) so the credential is rotated and never appears in plaintext in your code or shell.
  • Prefer IAM authentication where possible. Generating temporary credentials with GetClusterCredentials reduces reliance on long-lived passwords altogether.
  • Keep clusters private. Set publicly_accessible = false and restrict security groups to known application CIDRs. A non-default username matters far less when nothing untrusted can reach the cluster.
  • Limit master user usage. Create dedicated roles and least-privilege database users for applications and analysts. The master account should be reserved for administrative tasks, not day-to-day queries.
  • Audit continuously. Run this check on a schedule so a misconfigured cluster surfaces within hours rather than at the next annual audit.

A custom master username is a small change with outsized signal value. It tells an attacker that someone was paying attention, and it removes one of the easiest assumptions they would otherwise make for free.

Fix the clusters you have by migrating to a properly named one, then close the door for good with IaC defaults and a policy gate in CI. From there, the only way to create a cluster is the secure way.