Redshift Serverless workgroups should have enhanced VPC routing enabled
Without enhanced VPC routing, Redshift Serverless data traffic (COPY/UNLOAD operations to S3, DynamoDB, or other sources) can traverse the public internet. This bypasses VPC security controls like security groups, network ACLs, and VPC endpoints that you've already configured.
Enabling enhanced VPC routing forces all data movement through the VPC networking layer, making it subject to VPC flow logs and existing network policies. This gives you visibility into data exfiltration attempts and lets you restrict egress paths using VPC endpoint policies or NAT gateway configurations.
Retrofit consideration
Enabling enhanced VPC routing on an existing workgroup may cause brief connectivity disruption during the update. Verify that VPC endpoints for S3 and any other data sources are in place before enabling, or COPY/UNLOAD operations will fail if there is no NAT gateway or endpoint available to route traffic through.
Implementation
Choose the approach that matches how you manage Terraform.
Use AWS provider resources directly. See docs for the resources involved: aws_redshiftserverless_workgroup.
resource "aws_redshiftserverless_workgroup" "this" {
namespace_name = "example-namespace"
security_group_ids = ["sg-12345678"]
subnet_ids = ["subnet-12345678", "subnet-12345678", "subnet-12345678"]
workgroup_name = "pofix-abc123"
enhanced_vpc_routing = true
}
What this control checks
This control checks that the aws_redshiftserverless_workgroup resource has enhanced_vpc_routing set to true. The argument defaults to false, meaning data traffic can bypass VPC networking unless explicitly overridden. It fails when enhanced_vpc_routing is omitted or set to false on any workgroup resource.
Common pitfalls
Missing VPC endpoints cause COPY/UNLOAD failures
When
enhanced_vpc_routingistrue, all data traffic must route through the VPC. Without a VPC endpoint for S3 (com.amazonaws.<region>.s3) or a NAT gateway, COPY and UNLOAD commands to S3 fail with network timeout errors. Make sureaws_vpc_endpointresources exist before enabling this setting.Default value is false
enhanced_vpc_routingdefaults tofalseonaws_redshiftserverless_workgroup. The control fails silently if you define the resource without setting this explicitly, because Terraform won't warn you about the default. Every workgroup needsenhanced_vpc_routing = trueset explicitly.Cross-region COPY operations need reachable endpoints
Enhanced VPC routing forces all traffic through the VPC, including COPY operations targeting data in other regions. If no valid egress path exists (NAT gateway or appropriate endpoint routing), those operations fail with network or access errors. Map out your cross-region data access patterns before enabling.
Audit evidence
An auditor expects Config rule evaluation results showing all Redshift Serverless workgroups as COMPLIANT, or Security Hub findings with the control status marked PASSED. Console screenshots from the workgroup configuration page showing "Enhanced VPC routing" as enabled are acceptable supporting evidence.
Additional evidence should include VPC flow logs showing COPY/UNLOAD traffic traversing the VPC, and VPC endpoint policies for S3 (or other data sources) confirming data movement is restricted to expected destinations.
Framework-specific interpretation
Related controls
Tool mappings
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf Control:
redshiftserverless_workgroup_enhanced_vpc_routing_enabledAWS Config Managed Rule:
REDSHIFT_SERVERLESS_WORKGROUP_ROUTES_WITHIN_VPCCheckov Check:
CKV_AWS_321Powerpipe Control:
aws_compliance.control.redshiftserverless_workgroup_enhanced_vpc_routing_enabledProwler Check:
redshift_cluster_enhanced_vpc_routingAWS Security Hub Controls:
Redshift.7,RedshiftServerless.1
Last reviewed: 2026-03-09