Manualshelf

User guide

ManualsBrandsAmazon ManualsComputer equipmentRedshift
12345678910
AWS Accounts and IAM Credentials
By default, an Amazon Redshift cluster is only accessible to the AWS account that creates the cluster.
The cluster is locked down so that no one else has access. Within your AWS account, you use the AWS
Identity and Access Management (IAM) service to create user accounts and manage permissions for
those accounts to control cluster operations. For more information, see Controlling Access to Amazon
Redshift Resources (p. 115).
Security Groups
By default, any cluster that you create is closed to everyone. IAM credentials only control access to the
Amazon Redshift API-related resources: the Amazon Redshift console, command line interface (CLI),
API, and SDK.To enable access to the cluster from SQL client tools via JDBC or ODBC, you use security
groups:
If you are using the EC2-Classic platform for your Amazon Redshift cluster, you must use Amazon
Redshift security groups.
If you are using the EC2-VPC platform for your Amazon Redshift cluster, you must use VPC security
groups.
In either case, you add rules to the security group to grant explicit inbound access to a specific range of
CIDR/IP addresses or to an Amazon Elastic Compute Cloud (Amazon EC2) security group if your SQL
client runs on an Amazon EC2 instance. For more information, see Amazon Redshift Cluster Security
Groups (p. 43).
In addition to the inbound access rules, you create database users to provide credentials to authenticate
to the database within the cluster itself. For more information, see Databases (p. 4) in this topic.
Encryption
When you provision the cluster, you can optionally choose to encrypt the cluster for additional security.
When you enable encryption, Amazon Redshift stores all data in user-created tables in an encrypted
format.You can use either AWS Key Management Service (AWS KMS) or a hardware security module
(HSM) to manage your Amazon Redshift encryption keys.
Encryption is an immutable property of the cluster.The only way to switch from an encrypted cluster to
a nonencrypted cluster is to unload the data and reload it into a new cluster. Encryption applies to the
cluster and any backups. When you restore a cluster from an encrypted snapshot, the new cluster is
encrypted as well.
For more information about encryption, keys, and hardware security modules, see Amazon Redshift
Database Encryption (p. 98).
SSL Connections
You can use Secure Sockets Layer (SSL) encryption to encrypt the connection between your SQL client
and your cluster. For more information, see Configure Security Options for Connections (p. 158).
Monitoring Clusters
There are several features related to monitoring in Amazon Redshift.You can use database audit logging
to generate activity logs, configure events and notification subscriptions to track information of interest,
and use the metrics in Amazon Redshift and Amazon CloudWatch to learn about the health and
performance of your clusters and databases.
API Version 2012-12-01
3
Amazon Redshift Management Guide
Monitoring Clusters