diff --git a/packages/@aws-cdk/aws-redshift/README.md b/packages/@aws-cdk/aws-redshift/README.md
index 11fe7a8fd363d..8ecdd21f72ca8 100644
--- a/packages/@aws-cdk/aws-redshift/README.md
+++ b/packages/@aws-cdk/aws-redshift/README.md
@@ -34,6 +34,9 @@ By default, the master password will be generated and stored in AWS Secrets Mana
 
 A default database named `default_db` will be created in the cluster. To change the name of this database set the `defaultDatabaseName` attribute in the constructor properties.
 
+By default, the cluster will not be publicly accessible.
+Depending on your use case, you can make the cluster publicly accessible with the `publiclyAccessible` property.
+
 ### Connecting
 
 To control who can access the cluster, use the `.connections` attribute. Redshift Clusters have
diff --git a/packages/@aws-cdk/aws-redshift/lib/cluster.ts b/packages/@aws-cdk/aws-redshift/lib/cluster.ts
index 3b0667364772a..098055ada1042 100644
--- a/packages/@aws-cdk/aws-redshift/lib/cluster.ts
+++ b/packages/@aws-cdk/aws-redshift/lib/cluster.ts
@@ -307,6 +307,13 @@ export interface ClusterProps {
    * @default RemovalPolicy.RETAIN
    */
   readonly removalPolicy?: RemovalPolicy
+
+  /**
+   * Whether to make cluster publicly accessible.
+   *
+   * @default false
+   */
+  readonly publiclyAccessible?: boolean
 }
 
 /**
@@ -469,7 +476,7 @@ export class Cluster extends ClusterBase {
       loggingProperties,
       iamRoles: props.roles ? props.roles.map(role => role.roleArn) : undefined,
       dbName: props.defaultDatabaseName || 'default_db',
-      publiclyAccessible: false,
+      publiclyAccessible: props.publiclyAccessible || false,
       // Encryption
       kmsKeyId: props.encryptionKey && props.encryptionKey.keyArn,
       encrypted: props.encrypted !== undefined ? props.encrypted : true,
diff --git a/packages/@aws-cdk/aws-redshift/test/cluster.test.ts b/packages/@aws-cdk/aws-redshift/test/cluster.test.ts
index 397777ec3ca40..e8c38692dcb45 100644
--- a/packages/@aws-cdk/aws-redshift/test/cluster.test.ts
+++ b/packages/@aws-cdk/aws-redshift/test/cluster.test.ts
@@ -257,6 +257,22 @@ test('cluster with parameter group', () => {
 
 });
 
+test('publicly accessible cluster', () => {
+  // WHEN
+  new Cluster(stack, 'Redshift', {
+    masterUser: {
+      masterUsername: 'admin',
+    },
+    vpc,
+    publiclyAccessible: true,
+  });
+
+  // THEN
+  cdkExpect(stack).to(haveResource('AWS::Redshift::Cluster', {
+    PubliclyAccessible: true,
+  }));
+});
+
 test('imported cluster with imported security group honors allowAllOutbound', () => {
   // GIVEN
   const cluster = Cluster.fromClusterAttributes(stack, 'Database', {