An organization is building an Amazon Redshift cluster in their shared services VPC

The cluster will host sensitive data. How can the organization control which networks can access the cluster?

1. Run the cluster in a different VPC and connect through VPC peering.
2. Create a database user inside the Amazon Redshift cluster only for users on the network.
3. Define a cluster security group for the cluster that allows access from the allowed networks.
4. Only allow access to networks that connect with the shared services network via VPN.