User guide
Controlling Access to Amazon
Redshift Resources
You can use AWS Identity and Access Management (IAM) to control which AWS users can create,
configure, or delete Amazon Redshift clusters and other resources.
Topics
• Overview of Access to Amazon Redshift Resources (p. 115)
• IAM Policy Elements for Amazon Redshift (p. 117)
• Constructing an Amazon Redshift ARN (p. 120)
• Example Policies for Amazon Redshift (p. 121)
Overview of Access to Amazon Redshift
Resources
Access to Amazon Redshift resources is controlled at three levels:
• Cluster management – The ability to create, configure, and delete clusters is controlled by the
permissions given to the user or account associated with your AWS security credentials. AWS users
with the proper permissions can use the AWS Management Console, AWS Command Line Interface
(CLI), or Amazon Redshift Application Programming Interface (API) to manage their clusters. This
section discusses how to control this access by using IAM policies.
• Cluster connectivity – Amazon Redshift security groups specify the AWS instances that are authorized
to connect to an Amazon Redshift cluster in Classless Inter-Domain Routing (CIDR) format. For
information about creating Amazon Redshift, Amazon EC2, and Amazon VPC security groups and
associating them with clusters, see Amazon Redshift Cluster Security Groups (p. 43).
• Database access – The ability to access database objects, such as tables and views, is controlled by
user accounts in the Amazon Redshift database. Users can only access resources in the database
that their user accounts have been granted permission to access.You create these Amazon Redshift
user accounts and managing permissions by using the CREATE USER, CREATE GROUP, GRANT,
and REVOKE SQL statements. For more information, go to Managing Database Security.
API Version 2012-12-01
115
Amazon Redshift Management Guide
Overview of Access to Amazon Redshift Resources