Does the inbound QS rule really need to be wide open ( i.e. port 0-65535)? Or can we limit it to simply the redshift port (5432). Same goes for the outbound redshift security group. The docs seem to state that all ports need to be open, but don’t elaborate as to why. Your guidance would be much appreciated! Thanks!
The outbound rule only needs the redshift port (5432). The inbound rule needs to be all ports because it’s matching the return traffic. The port numbers are swapped for return traffic, so the destination port is what was the source port for the outbound traffic. Outbound source ports (and thus inbound destination ports) are allocated randomly for each TCP connection.