User guide
Example 4: Allow a user to authorize and revoke snapshot access
The following policy allows a user, for example UserA, to do the following:
• Authorize access to any snapshot created from a cluster named shared.
• Revoke snapshot access for any snapshot created from the shared cluster where the snapshot name
starts with revokable.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"redshift:AuthorizeSnapshotAccess"
],
"Resource": [
"arn:aws:redshift:us-east-1:0123456789012:shared/*"
],
"Effect": "Allow"
},
{
"Action": [
"redshift:RevokeSnapshotAccess"
],
"Resource": [
"arn:aws:redshift:us-east-1:0123456789012:snapshot:*/revokable*"
],
"Effect": "Allow"
}
]
}
If UserA has allowed UserB to access a snapshot, UserB must have a policy such as the following to
allow UserB to restore a cluster from the snapshot.The following policy allows UserB to describe and
restore from snapshots, and to create clusters. The name of these clusters must start with
from-other-account.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"redshift:DescribeClusterSnapshots"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"redshift:RestoreFromClusterSnapshot"
],
"Resource": [
"arn:aws:redshift:us-east-1:0123456789012:snapshot:*/*",
"arn:aws:redshift:us-east-1:2109876543210:cluster:from-other-account*"
API Version 2012-12-01
124
Amazon Redshift Management Guide
Example Policies for Amazon Redshift