User guide

ManualsBrandsAmazon ManualsComputer equipmentRedshift

121

122

123

124

125

126

127

128

129

130

Using IAM Users, Groups, and Policies for Cluster

Management

Amazon Redshift uses AWS Identity and Access Management (IAM) to control which users in your AWS

account can create, modify, or delete clusters for your AWS account. If you do not create IAM users and

groups within an account, you must provide the account root credentials to any people who need to

manage Amazon Redshift clusters owned by the account.The root credentials provide unrestricted access

to all AWS resources owned by the account. As a result, we strongly recommend that instead of using

the account credentials to create or manage Amazon Redshift resources, you use IAM. For information

about getting AWS security credentials, go to AWS Security Credentials.

Use IAM to do the following:

• Create users and groups under your AWS account.

• Share AWS account resources with the users in the same account.

• Define IAM policies that control the Amazon Redshift actions and resources available to each IAM user

or group. By default, a new IAM user has no permissions.You must grant IAM users all permissions

they require.

• Configure each user to have his or her own security credentials.

To learn about IAM, go to:

• AWS Identity and Access Management (IAM)

• IAM Getting Started Guide

• Using IAM

AWS Managed Policies for Amazon Redshift

Amazon Redshift offers functionality from other services, such as Amazon CloudWatch metrics that you

can use to monitor your cluster performance and set alarms. Functions that are supplied by other services

require explicit permissions of their own; access to Amazon Redshift actions does not give access to

actions in other services.The AWS IAM console provides the following predefined Amazon Redshift AWS

managed policies that you can use to allow the necessary access:

• Amazon Redshift Read Only Access – Provides read-only access to Amazon Redshift by using the

AWS Management Console.

• Amazon Redshift Full Access – Provides full access to Amazon Redshift by using the AWS

Management Console.

Alternately, see Example Policies for Amazon Redshift (p. 121) for examples on how to configure explicit

permissions for other services that you need to work with Amazon Redshift.

Creating an IAM Group and Users

This section describes how to create an IAM group, attach a policy to the group, and add users to the

group. Alternatively, you can attach the policies to the users rather than the group.The following example

uses the Administrator Access AWS managed policy, but you can use one of the Amazon Redshift

AWS managed policies instead. To learn more about IAM groups, users, and policies, go to the IAM

documentation listed preceding.

API Version 2012-12-01

116

Amazon Redshift Management Guide

Using IAM Users, Groups, and Policies for Cluster

Management