Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Amazon Redshift (service prefix:
redshift
) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
Learn how to configure this service .
View a list of the API operations available for this service .
Learn how to secure this service and its resources by using IAM permission policies.
Topics
You can specify the following actions in the
Action
element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The
Resource
column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource
element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The Actions Table .
Actions | Description | Access Level | Resource Types (*required) | Condition Keys | Dependent Actions |
---|---|---|---|---|---|
AcceptReservedNodeExchange | Exchanges a DC1 Reserved Node for a DC2 Reserved Node with no changes to the configuration (term, payment type, or number of nodes) and no additional costs | Write | |||
AuthorizeClusterSecurityGroupIngress | Adds an inbound (ingress) rule to an Amazon Redshift security group. | Permissions management | |||
AuthorizeSnapshotAccess | Authorizes the specified AWS customer account to restore the specified snapshot | Permissions management | |||
BatchDeleteClusterSnapshots | Deletes the snapshots in a batch of size upto 100 | Write | |||
BatchModifyClusterSnapshots | Modifies the settings for a batch of snapshots | Write | |||
CancelQuery [permission only] | Give permission to Cancel a Query through Redshift Query Editor | Write | |||
CancelQuerySession [permission only] | Controls whether a user can see queries in the Amazon Redshift console in the Queries tab of the Cluster section. | Write | |||
CancelResize | Cancels an ongoing classic resize | Write | |||
CopyClusterSnapshot | Copies the specified automated cluster snapshot to a new manual cluster snapshot | Write | |||
CreateCluster | Creates a new cluster | Write | |||
CreateClusterParameterGroup | Creates an Amazon Redshift parameter group | Write | |||
CreateClusterSecurityGroup | Creates a new Amazon Redshift security group | Write | |||
CreateClusterSnapshot | Creates a manual snapshot of the specified cluster | Write | |||
CreateClusterSubnetGroup | Creates a new Amazon Redshift subnet group | Write | |||
CreateClusterUser | Give permission to auto create the specified redshift user if it does not exist | Permissions management | |||
CreateEventSubscription | Creates an Amazon Redshift event notification subscription | Write | |||
CreateHsmClientCertificate | Creates an HSM client certificate that an Amazon Redshift cluster will use to connect to the client's HSM in order to store and retrieve the keys used to encrypt the cluster databases | Write | |||
CreateHsmConfiguration | Creates an HSM configuration that contains the information required by an Amazon Redshift cluster to store and use database encryption keys in a Hardware Security Module (HSM) | Write | |||
CreateSavedQuery [permission only] | Give permission to Create Saved Queries through Redshift Saved Queries | Write | |||
CreateScheduledAction | Creates a new Amazon Redshift scheduled action | Write | |||
CreateSnapshotCopyGrant | Creates a snapshot copy grant that permits Amazon Redshift to use a customer master key (CMK) from AWS Key Management Service (AWS KMS) to encrypt copied snapshots in a destination region | Permissions management | |||
CreateSnapshotSchedule | Creates the given snapshot schedule | Write | |||
CreateTags | Adds one or more tags to a specified resource | Tagging | |||
DeleteCluster | Deletes a previously provisioned cluster | Write | |||
DeleteClusterParameterGroup | Deletes a specified Amazon Redshift parameter group | Write | |||
DeleteClusterSecurityGroup | Deletes an Amazon Redshift security group | Write | |||
DeleteClusterSnapshot | Deletes the specified manual snapshot | Write | |||
DeleteClusterSubnetGroup | Deletes the specified cluster subnet group | Write | |||
DeleteEventSubscription | Deletes an Amazon Redshift event notification subscription | Write | |||
DeleteHsmClientCertificate | Deletes the specified HSM client certificate | Write | |||
DeleteHsmConfiguration | Deletes the specified Amazon Redshift HSM configuration | Write | |||
DeleteSavedQueries [permission only] | Give permission to Delete Saved Queries through Redshift Saved Queries | Write | |||
DeleteScheduledAction | Delete the specified Amazon Redshift scheduled action | Write | |||
DeleteSnapshotCopyGrant | Deletes the specified snapshot copy grant | Write | |||
DeleteSnapshotSchedule | Deletes the given snapshot schedule | Write | |||
DeleteTags | Deletes a tag or tags from a resource | Tagging | |||
DescribeAccountAttributes | Enables the user to get a list of attributes attached to an account | Read | |||
DescribeClusterDbRevisions | Enables the user to get a list of database revisions for a cluster | List | |||
DescribeClusterParameterGroups | Returns a list of Amazon Redshift parameter groups, including parameter groups you created and the default parameter group | Read | |||
DescribeClusterParameters | Returns a detailed list of parameters contained within the specified Amazon Redshift parameter group | Read | |||
DescribeClusterSecurityGroups | Returns information about Amazon Redshift security groups | Read | |||
DescribeClusterSnapshots | Returns one or more snapshot objects, which contain metadata about your cluster snapshots | Read | |||
DescribeClusterSubnetGroups | Returns one or more cluster subnet group objects, which contain metadata about your cluster subnet groups | Read | |||
DescribeClusterTracks | Enables the user to get a list of all the available maintenance tracks | List | |||
DescribeClusterVersions | Returns descriptions of the available Amazon Redshift cluster versions | Read | |||
DescribeClusters | Returns properties of provisioned clusters including general cluster properties, cluster database properties, maintenance and backup properties, and security and access properties | List | |||
DescribeDefaultClusterParameters | Returns a list of parameter settings for the specified parameter group family | Read | |||
DescribeEventCategories | Displays a list of event categories for all event source types, or for a specified source type | Read | |||
DescribeEventSubscriptions | Lists descriptions of all the Amazon Redshift event notifications subscription for a customer account | Read | |||
DescribeEvents | Returns events related to clusters, security groups, snapshots, and parameter groups for the past 14 days | List | |||
DescribeHsmClientCertificates | Returns information about the specified HSM client certificate | Read | |||
DescribeHsmConfigurations | Returns information about the specified Amazon Redshift HSM configuration | Read | |||
DescribeLoggingStatus | Describes whether information, such as queries and connection attempts, is being logged for the specified Amazon Redshift cluster | Read | |||
DescribeNodeConfigurationOptions | For the restore-cluster action type, enables the user to get a list of possible node configurations such as node type, number of nodes, and disk usage. For the recommended-node-configuration action type, enables the user to get a list of recommended configurations based on an existing cluster or snapshot. | List | |||
DescribeOrderableClusterOptions | Returns a list of orderable cluster options | Read | |||
DescribeQuery [permission only] | Give permission to Describe Query through Redshift Query Editor | Read | |||
DescribeReservedNodeOfferings | Returns a list of the available reserved node offerings by Amazon Redshift with their descriptions including the node type, the fixed and recurring costs of reserving the node and duration the node will be reserved for you | Read | |||
DescribeReservedNodes | Returns the descriptions of the reserved nodes | Read | |||
DescribeResize | Returns information about the last resize operation for the specified cluster | Read | |||
DescribeSavedQueries [permission only] | Return a list of saved queries to Amazon Redshift console. | Read | |||
DescribeScheduledActions | Describe created Amazon Redshift scheduled actions | Read | |||
DescribeSnapshotCopyGrants | Returns a list of snapshot copy grants owned by the AWS account in the destination region | Read | |||
DescribeSnapshotSchedules | Describes created snapshot schedules | Read | |||
DescribeStorage | Returns account level backups storage size and provisional storage | Read | |||
DescribeTable [permission only] | Give permission to Describe Table through Redshift Query Editor | Read | |||
DescribeTableRestoreStatus | Lists the status of one or more table restore requests made using the RestoreTableFromClusterSnapshot API action | Read | |||
DescribeTags | Returns a list of tags | Read | |||
DisableLogging | Stops logging information, such as queries and connection attempts, for the specified Amazon Redshift cluster | Write | |||
DisableSnapshotCopy | Disables the automatic copying of snapshots from one region to another region for a specified cluster | Write | |||
EnableLogging | Starts logging information, such as queries and connection attempts, for the specified Amazon Redshift cluster | Write | |||
EnableSnapshotCopy | Enables the automatic copy of snapshots from one region to another region for a specified cluster | Write | |||
ExecuteQuery [permission only] | Give permission to Execute Query through Redshift Query Editor | Write | |||
FetchResults [permission only] | Give permission to Fetch Query Results through Redshift Query Editor | Read | |||
GetClusterCredentials | Get a temporary cluster credential for the specified redshift user | Write | |||
GetReservedNodeExchangeOfferings | Returns an array of DC2 ReservedNodeOfferings that matches the payment type, term, and usage price of the given DC1 reserved node | Read | |||
JoinGroup | Give permission to join the specified redshift groups | Permissions management | |||
ListDatabases [permission only] | Give permission to List Databases through Redshift Query Editor | List | |||
ListSavedQueries [permission only] | Give permission to List Saved Queries through Redshift Saved Queries | List | |||
ListSchemas [permission only] | Give permission to List Schemas through Redshift Query Editor | List | |||
ListTables [permission only] | Give permission to List Tables through Redshift Query Editor | List | |||
ModifyCluster | Modifies the settings for a cluster | Write | |||
ModifyClusterDbRevision | Enables the user to modify the database revision of a cluster | Write | |||
ModifyClusterIamRoles | Modifies the list of AWS Identity and Access Management (IAM) roles that can be used by the cluster to access other AWS services | Permissions management | |||
ModifyClusterMaintenance | Enables the user to modify the maintenance settings of a cluster | Write | |||
ModifyClusterParameterGroup | Modifies the parameters of a parameter group | Write | |||
ModifyClusterSnapshot | Modifies the settings for a snapshot | Write | |||
ModifyClusterSnapshotSchedule | Modifies the snapshot schedule settings for a cluster | Write | |||
ModifyClusterSubnetGroup | Modifies a cluster subnet group to include the specified list of VPC subnets | Write | |||
ModifyEventSubscription | Modifies an existing Amazon Redshift event notification subscription | Write | |||
ModifySavedQuery [permission only] | Give permission to Modify existing Saved Queries through Redshift Saved Queries | Write | |||
ModifyScheduledAction | Modifies an existing Amazon Redshift scheduled action | Write | |||
ModifySnapshotCopyRetentionPeriod | Modifies the number of days to retain automated snapshots in the destination region after they are copied from the source region | Write | |||
ModifySnapshotSchedule | Modifies the given snapshot schedule | Write | |||
PurchaseReservedNodeOffering | Allows you to purchase reserved nodes. Amazon Redshift offers a predefined set of reserved node offerings | Write | |||
RebootCluster | Reboots a cluster | Write | |||
ResetClusterParameterGroup | Sets one or more parameters of the specified parameter group to their default values and sets the source values of the parameters to "engine-default" | Write | |||
ResizeCluster | Changes the size of the cluster. You can change the cluster's type, or change the number or type of nodes | Write | |||
RestoreFromClusterSnapshot | Creates a new cluster from a snapshot | Write | |||
RestoreTableFromClusterSnapshot | Creates a new table from a table in an Amazon Redshift cluster snapshot | Write | |||
RevokeClusterSecurityGroupIngress | Revokes an ingress rule in an Amazon Redshift security group for a previously authorized IP range or Amazon EC2 security group | Permissions management | |||
RevokeSnapshotAccess | Removes the ability of the specified AWS customer account to restore the specified snapshot | Permissions management | |||
RotateEncryptionKey | Rotates the encryption keys for a cluster | Permissions management | |||
ViewQueriesFromConsole [permission only] | Give permission to View Query Results From Console through Redshift Query Editor | List | |||
ViewQueriesInConsole [permission only] | Controls whether a user can terminate running queries and loads from the Cluster section in the Amazon Redshift console. | List |
The following resource types are defined by this service and can be used in the
Resource
element of IAM permission policy statements. Each action in the
Actions table
identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see
The Resource Types Table
.
Resource Types | ARN | Condition Keys |
---|---|---|
cluster |
arn:$
{
Partition}:redshift:$
{
Region}:$
{
Account}:cluster:$
{
ClusterName}
|
|
dbgroup |
arn:$
{
Partition}:redshift:$
{
Region}:$
{
Account}:dbgroup:$
{
ClusterName}/$
{
DbGroup}
|
|
dbname |
arn:$
{
Partition}:redshift:$
{
Region}:$
{
Account}:dbname:$
{
ClusterName}/$
{
DbName}
|
|
dbuser |
arn:$
{
Partition}:redshift:$
{
Region}:$
{
Account}:dbuser:$
{
ClusterName}/$
{
DbUser}
|
|
eventsubscription |
arn:$
{
Partition}:redshift:$
{
Region}:$
{
Account}:eventsubscription:$
{
EventSubscriptionName}
|
|
hsmclientcertificate |
arn:$
{
Partition}:redshift:$
{
Region}:$
{
Account}:hsmclientcertificate:$
{
HSMClientCertificateId}
|
|
hsmconfiguration |
arn:$
{
Partition}:redshift:$
{
Region}:$
{
Account}:hsmconfiguration:$
{
HSMConfigurationId}
|
|
parametergroup |
arn:$
{
Partition}:redshift:$
{
Region}:$
{
Account}:parametergroup:$
{
ParameterGroupName}
|
|
securitygroup |
arn:$
{
Partition}:redshift:$
{
Region}:$
{
Account}:securitygroup:$
{
SecurityGroupName}/ec2securitygroup/$
{
Owner}/$
{
Ec2SecurityGroupId}
|
|
securitygroupingress-cidr |
arn:$
{
Partition}:redshift:$
{
Region}:$
{
Account}:securitygroupingress:$
{
SecurityGroupName}/cidrip/$
{
IpRange}
|
|
securitygroupingress-ec2securitygroup |
arn:$
{
Partition}:redshift:$
{
Region}:$
{
Account}:securitygroupingress:$
{
SecurityGroupName}/ec2securitygroup/$
{
Owner}/$
{
Ece2SecuritygroupId}
|
|
snapshot |
arn:$
{
Partition}:redshift:$
{
Region}:$
{
Account}:snapshot:$
{
ClusterName}/$
{
SnapshotName}
|
|
snapshotcopygrant |
arn:$
{
Partition}:redshift:$
{
Region}:$
{
Account}:snapshotcopygrant:$
{
SnapshotCopyGrantName}
|
|
snapshotschedule |
arn:$
{
Partition}:redshift:$
{
Region}:$
{
Account}:snapshotschedule:$
{
ParameterGroupName}
|
|
subnetgroup |
arn:$
{
Partition}:redshift:$
{
Region}:$
{
Account}:subnetgroup:$
{
SubnetGroupName}
|
Amazon Redshift defines the following condition keys that can be used in the
Condition
element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see
The Condition Keys Table
.
To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference .
Condition Keys | Description | Type |
---|---|---|
redshift:DbName | Control access based on the database name. | String |
redshift:DbUser | Control access based on the database user name. | String |
redshift:DurationSeconds | Control access based on the number of seconds until a temporary credential set expires. | String |