User guide

ManualsBrandsAmazon ManualsComputer equipmentRedshift

121

122

123

124

125

126

127

128

129

130

"Resource": [

"arn:aws:redshift:us-east-1:123456789012:snapshot:my-cluster*"

]

}

]

}

IAM Policy Actions for Amazon Redshift

The Action element in an IAM policy defines what a user can do in Amazon Redshift, such as creating

clusters, deleting security groups, restoring clusters from snapshots, and so on.When you allow or deny

permission to do something in an Action element, the permission applies to that action in all of the

management interfaces for Amazon Redshift: the Amazon Redshift console, API, CLI, and SDK. For

example, setting the Effect element to Allow for the redshift:CreateCluster policy action authorizes

a user to create an Amazon Redshift cluster from the launch cluster workflow in the Amazon Redshift

console, from the CreateCluster API action, from the create-cluster CLI command, or from any

of the supported AWS SDKs.

Specify the IAM action for Amazon Redshift as redshift:ActionName, where ActionName is the

name of the Amazon Redshift API action.The following example shows an IAM action for the

CreateCluster API in Amazon Redshift.

redshift:CreateCluster

For a complete list of Amazon Redshift API actions, go to Actions in the Amazon Redshift API Reference.

Redshift also supports the following actions that are not based on the Redshift API:

• The redshift:ViewQueriesInConsole action controls whether a user can see queries in the

Amazon Redshift console in the Queries tab of the Cluster section.

• The redshift:CancelQuerySession action controls whether a user can terminate running queries

and loads from the Cluster section in the Amazon Redshift console.

IAM Policy Resources for Amazon Redshift

The Resource element in an IAM policy specifies on or with which resources a user can perform the

given actions.You can specify one resource or a set of resources by using an Amazon Resource Name

(ARN) that includes the name of the service that the resource belongs to (redshift), the region (such

as us-east-1), the account number, the type of resource (such as a cluster or parameter group), and

the name of the resource. For reference information on the IAM policy Resource element, go to IAM

Policy Elements Reference in Using IAM.

For information about the format of Amazon Redshift ARNs and examples, see Constructing an Amazon

Redshift ARN (p. 120).

For Amazon Redshift snapshots, the name includes the name of both the snapshot and the cluster it was

created from: <cluster name>/<snapshot name>. If an IAM policy has a Resource element with a

snapshot ARN, and the cluster node is anything other than *, then all users with that policy must specify

the source cluster name for the snapshot when performing certain actions:

• Authorizing cluster snapshot access.

• Copying a cluster snapshot.

• Deleting a cluster snapshot.

API Version 2012-12-01

118

Amazon Redshift Management Guide

IAM Policy Actions for Amazon Redshift