Actions, Resources, and Condition Keys for Amazon Redshift - AWS Identity and Access Management

Actions, Resources, and Condition Keys for Amazon Redshift

Amazon Redshift (service prefix: redshift) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon Redshift

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource Types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AcceptReservedNodeExchange Grants permission to exchange a DC1 reserved node for a DC2 reserved node with no changes to the configuration Write
AuthorizeClusterSecurityGroupIngress Grants permission to add an inbound (ingress) rule to an Amazon Redshift security group Permissions management

securitygroup*

securitygroupingress-ec2securitygroup*

AuthorizeSnapshotAccess Grants permission to the specified AWS account to restore a snapshot Permissions management

snapshot*

BatchDeleteClusterSnapshots Grants permission to delete snapshots in a batch of size upto 100 Write

snapshot*

BatchModifyClusterSnapshots Grants permission to modify settings for a list of snapshots Write

snapshot*

CancelQuery [permission only] Grants permission to cancel a query through the Amazon Redshift console Write
CancelQuerySession [permission only] Grants permission to see queries in the Amazon Redshift console Write
CancelResize Grants permission to cancel a resize operation Write

cluster*

CopyClusterSnapshot Grants permission to copy a cluster snapshot Write

snapshot*

CreateCluster Grants permission to create a cluster Write

cluster*

CreateClusterParameterGroup Grants permission to create an Amazon Redshift parameter group Write

parametergroup*

CreateClusterSecurityGroup Grants permission to create an Amazon Redshift security group Write

securitygroup*

CreateClusterSnapshot Grants permission to create a manual snapshot of the specified cluster Write

snapshot*

CreateClusterSubnetGroup Grants permission to create an Amazon Redshift subnet group Write

subnetgroup*

CreateClusterUser Grants permission to automatically create the specified Amazon Redshift user if it does not exist Permissions management

dbuser*

redshift:DbUser

CreateEventSubscription Grants permission to create an Amazon Redshift event notification subscription Write

eventsubscription*

CreateHsmClientCertificate Grants permission to create an HSM client certificate that a cluster uses to connect to an HSM Write

hsmclientcertificate*

CreateHsmConfiguration Grants permission to create an HSM configuration that contains information required by a cluster to store and use database encryption keys in a hardware security module (HSM) Write

hsmconfiguration*

CreateSavedQuery [permission only] Grants permission to create saved SQL queries through the Amazon Redshift console Write
CreateScheduledAction Grants permission to create an Amazon Redshift scheduled action Write
CreateSnapshotCopyGrant Grants permission to create a snapshot copy grant and encrypt copied snapshots in a destination AWS Region Permissions management

snapshotcopygrant*

CreateSnapshotSchedule Grants permission to create a snapshot schedule Write

snapshotschedule*

CreateTags Grants permission to add one or more tags to a specified resource Tagging
DeleteCluster Grants permission to delete a previously provisioned cluster Write

cluster*

DeleteClusterParameterGroup Grants permission to delete an Amazon Redshift parameter group Write

parametergroup*

DeleteClusterSecurityGroup Grants permission to delete an Amazon Redshift security group Write

securitygroup*

DeleteClusterSnapshot Grants permission to delete a manual snapshot Write

snapshot*

DeleteClusterSubnetGroup Grants permission to delete a cluster subnet group Write

subnetgroup*

DeleteEventSubscription Grants permission to delete an Amazon Redshift event notification subscription Write

eventsubscription*

DeleteHsmClientCertificate Grants permission to delete an HSM client certificate Write

hsmclientcertificate*

DeleteHsmConfiguration Grants permission to delete an Amazon Redshift HSM configuration Write

hsmconfiguration*

DeleteSavedQueries [permission only] Grants permission to delete saved SQL queries through the Amazon Redshift console Write
DeleteScheduledAction Grants permission to delete an Amazon Redshift scheduled action Write
DeleteSnapshotCopyGrant Grants permission to delete a snapshot copy grant Write

snapshotcopygrant*

DeleteSnapshotSchedule Grants permission to delete a snapshot schedule Write

snapshotschedule*

DeleteTags Grants permission to delete a tag or tags from a resource Tagging
DescribeAccountAttributes Grants permission to describe attributes attached to the specified AWS account Read
DescribeClusterDbRevisions Grants permission to describe database revisions for a cluster List
DescribeClusterParameterGroups Grants permission to describe Amazon Redshift parameter groups, including parameter groups you created and the default parameter group Read
DescribeClusterParameters Grants permission to describe parameters contained within an Amazon Redshift parameter group Read

parametergroup*

DescribeClusterSecurityGroups Grants permission to describe Amazon Redshift security groups Read
DescribeClusterSnapshots Grants permission to describe one or more snapshot objects, which contain metadata about your cluster snapshots Read
DescribeClusterSubnetGroups Grants permission to describe one or more cluster subnet group objects, which contain metadata about your cluster subnet groups Read
DescribeClusterTracks Grants permission to describe available maintenance tracks List
DescribeClusterVersions Grants permission to describe available Amazon Redshift cluster versions Read
DescribeClusters Grants permission to describe properties of provisioned clusters List
DescribeDefaultClusterParameters Grants permission to describe parameter settings for a parameter group family Read
DescribeEventCategories Grants permission to describe event categories for all event source types, or for a specified source type Read
DescribeEventSubscriptions Grants permission to describe Amazon Redshift event notification subscriptions for the specified AWS account Read
DescribeEvents Grants permission to describe events related to clusters, security groups, snapshots, and parameter groups for the past 14 days List
DescribeHsmClientCertificates Grants permission to describe HSM client certificates Read
DescribeHsmConfigurations Grants permission to describe Amazon Redshift HSM configurations Read
DescribeLoggingStatus Grants permission to describe whether information, such as queries and connection attempts, is being logged for a cluster Read

cluster*

DescribeNodeConfigurationOptions Grants permission to describe properties of possible node configurations such as node type, number of nodes, and disk usage for the specified action type List
DescribeOrderableClusterOptions Grants permission to describe orderable cluster options Read
DescribeQuery [permission only] Grants permission to describe a query through the Amazon Redshift console Read
DescribeReservedNodeOfferings Grants permission to describe available reserved node offerings by Amazon Redshift Read
DescribeReservedNodes Grants permission to describe the reserved nodes Read
DescribeResize Grants permission to describe the last resize operation for a cluster Read

cluster*

DescribeSavedQueries [permission only] Grants permission to describe saved queries through the Amazon Redshift console Read
DescribeScheduledActions Grants permission to describe created Amazon Redshift scheduled actions Read
DescribeSnapshotCopyGrants Grants permission to describe snapshot copy grants owned by the specified AWS account in the destination AWS Region Read
DescribeSnapshotSchedules Grants permission to describe snapshot schedules Read

snapshotschedule*

DescribeStorage Grants permission to describe account level backups storage size and provisional storage Read
DescribeTable [permission only] Grants permission to describe a table through the Amazon Redshift console Read
DescribeTableRestoreStatus Grants permission to describe status of one or more table restore requests made using the RestoreTableFromClusterSnapshot API action Read
DescribeTags Grants permission to describe tags Read
DisableLogging Grants permission to disable logging information, such as queries and connection attempts, for a cluster Write

cluster*

DisableSnapshotCopy Grants permission to disable the automatic copy of snapshots for a cluster Write

cluster*

EnableLogging Grants permission to enable logging information, such as queries and connection attempts, for a cluster Write

cluster*

EnableSnapshotCopy Grants permission to enable the automatic copy of snapshots for a cluster Write

cluster*

ExecuteQuery [permission only] Grants permission to execute a query through the Amazon Redshift console Write
FetchResults [permission only] Grants permission to fetch query results through the Amazon Redshift console Read
GetClusterCredentials Grants permission to get temporary credentials to access an Amazon Redshift database by the specified AWS account Write

dbuser*

dbgroup

dbname

redshift:DbName

redshift:DbUser

redshift:DurationSeconds

GetReservedNodeExchangeOfferings Grants permission to get an array of DC2 ReservedNodeOfferings that matches the payment type, term, and usage price of the given DC1 reserved node Read
JoinGroup Grants permission to join the specified Amazon Redshift group Permissions management

dbgroup*

ListDatabases [permission only] Grants permission to list databases through the Amazon Redshift console List
ListSavedQueries [permission only] Grants permission to list saved queries through the Amazon Redshift console List
ListSchemas [permission only] Grants permission to list schemas through the Amazon Redshift console List
ListTables [permission only] Grants permission to list tables through the Amazon Redshift console List
ModifyCluster Grants permission to modify the settings of a cluster Write

cluster*

ModifyClusterDbRevision Grants permission to modify the database revision of a cluster Write

cluster*

ModifyClusterIamRoles Grants permission to modify the list of AWS Identity and Access Management (IAM) roles that can be used by a cluster to access other AWS services Permissions management

cluster*

ModifyClusterMaintenance Grants permission to modify the maintenance settings of a cluster Write
ModifyClusterParameterGroup Grants permission to modify the parameters of a parameter group Write

parametergroup*

ModifyClusterSnapshot Grants permission to modify the settings of a snapshot Write

snapshot*

ModifyClusterSnapshotSchedule Grants permission to modify a snapshot schedule for a cluster Write

cluster*

ModifyClusterSubnetGroup Grants permission to modify a cluster subnet group to include the specified list of VPC subnets Write

subnetgroup*

ModifyEventSubscription Grants permission to modify an existing Amazon Redshift event notification subscription Write

eventsubscription*

ModifySavedQuery [permission only] Grants permission to modify an existing saved query through the Amazon Redshift console Write
ModifyScheduledAction Grants permission to modify an existing Amazon Redshift scheduled action Write
ModifySnapshotCopyRetentionPeriod Grants permission to modify the number of days to retain snapshots in the destination AWS Region after they are copied from the source AWS Region Write

cluster*

ModifySnapshotSchedule Grants permission to modify a snapshot schedule Write

snapshotschedule*

PauseCluster Grants permission to pause a cluster Write

cluster*

PurchaseReservedNodeOffering Grants permission to purchase a reserved node Write
RebootCluster Grants permission to reboot a cluster Write

cluster*

ResetClusterParameterGroup Grants permission to set one or more parameters of a parameter group to their default values and set the source values of the parameters to "engine-default" Write

parametergroup*

ResizeCluster Grants permission to change the size of a cluster Write

cluster*

RestoreFromClusterSnapshot Grants permission to create a cluster from a snapshot Write

snapshot*

RestoreTableFromClusterSnapshot Grants permission to create a table from a table in an Amazon Redshift cluster snapshot Write

cluster*

snapshot*

ResumeCluster Grants permission to resume a cluster Write

cluster*

RevokeClusterSecurityGroupIngress Grants permission to revoke an ingress rule in an Amazon Redshift security group for a previously authorized IP range or Amazon EC2 security group Permissions management

securitygroup*

securitygroupingress-ec2securitygroup*

RevokeSnapshotAccess Grants permission to revoke access from the specified AWS account to restore a snapshot Permissions management

snapshot*

RotateEncryptionKey Grants permission to rotate an encryption key for a cluster Permissions management

cluster*

ViewQueriesFromConsole [permission only] Grants permission to view query results through the Amazon Redshift console List
ViewQueriesInConsole [permission only] Grants permission to terminate running queries and loads through the Amazon Redshift console List

Resource Types Defined by Amazon Redshift

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
cluster arn:${Partition}:redshift:${Region}:${Account}:cluster:${ClusterName}
dbgroup arn:${Partition}:redshift:${Region}:${Account}:dbgroup:${ClusterName}/${DbGroup}
dbname arn:${Partition}:redshift:${Region}:${Account}:dbname:${ClusterName}/${DbName}
dbuser arn:${Partition}:redshift:${Region}:${Account}:dbuser:${ClusterName}/${DbUser}
eventsubscription arn:${Partition}:redshift:${Region}:${Account}:eventsubscription:${EventSubscriptionName}
hsmclientcertificate arn:${Partition}:redshift:${Region}:${Account}:hsmclientcertificate:${HSMClientCertificateId}
hsmconfiguration arn:${Partition}:redshift:${Region}:${Account}:hsmconfiguration:${HSMConfigurationId}
parametergroup arn:${Partition}:redshift:${Region}:${Account}:parametergroup:${ParameterGroupName}
securitygroup arn:${Partition}:redshift:${Region}:${Account}:securitygroup:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ec2SecurityGroupId}
securitygroupingress-cidr arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/cidrip/${IpRange}
securitygroupingress-ec2securitygroup arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ece2SecuritygroupId}
snapshot arn:${Partition}:redshift:${Region}:${Account}:snapshot:${ClusterName}/${SnapshotName}
snapshotcopygrant arn:${Partition}:redshift:${Region}:${Account}:snapshotcopygrant:${SnapshotCopyGrantName}
snapshotschedule arn:${Partition}:redshift:${Region}:${Account}:snapshotschedule:${ParameterGroupName}
subnetgroup arn:${Partition}:redshift:${Region}:${Account}:subnetgroup:${SubnetGroupName}

Condition Keys for Amazon Redshift

Amazon Redshift defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
redshift:DbName Filters access by the database name String
redshift:DbUser Filters access by the database user name String
redshift:DurationSeconds Filters access by the number of seconds until a temporary credential set expires String