Skip to content
Ask AI about this
Help improve this page

Redshift Serverless namespaces should not use the default admin username

Default admin usernames like "admin" are the first credential attackers try during brute-force or credential-stuffing attacks. Redshift Serverless namespaces hold analytical data that often includes sensitive business or customer records, so a predictable superuser name cuts the attacker's work in half.

Changing the admin username after namespace creation requires recreating the namespace, which means downtime and potential data loss. Setting a non-default username at creation time costs nothing and eliminates an entire class of low-effort attack.

Retrofit consideration

Changing admin_username on an existing aws_redshiftserverless_namespace forces resource replacement: the namespace is destroyed and recreated. Any data in attached workgroups is lost unless you snapshot and restore first. Take snapshots and align with application teams before applying the change.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_redshiftserverless_namespace.

resource "aws_redshiftserverless_namespace" "this" {
  admin_user_password = "PofixTest123!"
  admin_username      = "rsadmin"
  db_name             = "mydb"
  log_exports         = ["connectionlog", "userlog"]
  namespace_name      = "pofix-abc123"
}

What this control checks

The aws_redshiftserverless_namespace resource exposes the admin_username argument. Set it to any value other than "admin" to pass, for example "rs_admin_prod" or whatever your team's naming convention is. If admin_username is omitted, AWS defaults it to "admin", which fails. The control may also accept a configured list of allowed usernames; if that list is set, the username must appear in it. Set admin_user_password alongside the custom username, or use manage_admin_password = true to delegate password management to Secrets Manager.

Common pitfalls

  • Omitting admin_username defaults to admin

    AWS sets admin_username to "admin" when the argument is absent from the aws_redshiftserverless_namespace block. Terraform won't necessarily surface a diff for omitted optional arguments, so the drift can go undetected. Declare admin_username explicitly in every namespace resource.

  • Changing username forces namespace replacement

    admin_username is marked ForceNew: any change to this argument destroys the namespace and recreates it. All data in attached workgroups is gone. Plan snapshot and restore procedures before running terraform apply.

  • Custom allowed list may reject your username

    Some policy implementations enforce an explicit allowlist of valid admin usernames. Pick a name that isn't on the list and the control fails even if it isn't "admin". Check the configured allowed values before deciding on a username.

  • Username stored in Terraform state in plaintext

    admin_username appears in Terraform state in plaintext. On its own that's low risk, but admin_user_password ends up there too if you set it directly. Use manage_admin_password = true so Secrets Manager holds the credential and your state file only contains the username.

Audit evidence

Each aws_redshiftserverless_namespace should show a non-default admin_username in Terraform configuration, plan output, and applied state. Confirm in the AWS console or CLI that no namespace lists "admin" as its admin user. CloudTrail CreateNamespace events show the adminUsername parameter used at creation, providing a point-in-time record of what was set.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: redshiftserverless_namespace_no_default_admin_username

  • AWS Config Managed Rule: REDSHIFT_SERVERLESS_DEFAULT_ADMIN_CHECK

  • Powerpipe Control: aws_compliance.control.redshiftserverless_namespace_no_default_admin_username

  • AWS Security Hub Control: RedshiftServerless.5

Last reviewed: 2026-03-09