Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon Redshift

Amazon Redshift (service prefix: redshift) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon Redshift

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AuthorizeClusterSecurityGroupIngress Adds an inbound (ingress) rule to an Amazon Redshift security group.

Permissions management

securitygroup*

securitygroupingress-ec2securitygroup*

AuthorizeSnapshotAccess Authorizes the specified AWS customer account to restore the specified snapshot

Permissions management

snapshot*

CancelQuerySession [permission only] Controls whether a user can see queries in the Amazon Redshift console in the Queries tab of the Cluster section.

Write

CopyClusterSnapshot Copies the specified automated cluster snapshot to a new manual cluster snapshot

Write

snapshot*

CreateCluster Creates a new cluster

Write

cluster*

CreateClusterParameterGroup Creates an Amazon Redshift parameter group

Write

parametergroup*

CreateClusterSecurityGroup Creates a new Amazon Redshift security group

Write

securitygroup*

CreateClusterSnapshot Creates a manual snapshot of the specified cluster

Write

snapshot*

CreateClusterSubnetGroup Creates a new Amazon Redshift subnet group

Write

subnetgroup*

CreateClusterUser Give permission to auto create the specified redshift user if it does not exist

Permissions management

dbuser*

redshift:DbUser

CreateEventSubscription Creates an Amazon Redshift event notification subscription

Write

eventsubscription*

CreateHsmClientCertificate Creates an HSM client certificate that an Amazon Redshift cluster will use to connect to the client's HSM in order to store and retrieve the keys used to encrypt the cluster databases

Write

hsmclientcertificate*

CreateHsmConfiguration Creates an HSM configuration that contains the information required by an Amazon Redshift cluster to store and use database encryption keys in a Hardware Security Module (HSM)

Write

hsmconfiguration*

CreateSnapshotCopyGrant Creates a snapshot copy grant that permits Amazon Redshift to use a customer master key (CMK) from AWS Key Management Service (AWS KMS) to encrypt copied snapshots in a destination region

Permissions management

snapshotcopygrant*

CreateTags Adds one or more tags to a specified resource

Tagging Write

DeleteCluster Deletes a previously provisioned cluster

Write

cluster*

DeleteClusterParameterGroup Deletes a specified Amazon Redshift parameter group

Write

parametergroup*

DeleteClusterSecurityGroup Deletes an Amazon Redshift security group

Write

securitygroup*

DeleteClusterSnapshot Deletes the specified manual snapshot

Write

snapshot*

DeleteClusterSubnetGroup Deletes the specified cluster subnet group

Write

subnetgroup*

DeleteEventSubscription Deletes an Amazon Redshift event notification subscription

Write

eventsubscription*

DeleteHsmClientCertificate Deletes the specified HSM client certificate

Write

hsmclientcertificate*

DeleteHsmConfiguration Deletes the specified Amazon Redshift HSM configuration

Write

hsmconfiguration*

DeleteSnapshotCopyGrant Deletes the specified snapshot copy grant

Write

snapshotcopygrant*

DeleteTags Deletes a tag or tags from a resource

Tagging Write

DescribeClusterParameterGroups Returns a list of Amazon Redshift parameter groups, including parameter groups you created and the default parameter group

Read Write

DescribeClusterParameters Returns a detailed list of parameters contained within the specified Amazon Redshift parameter group

Read Write

parametergroup*

DescribeClusterSecurityGroups Returns information about Amazon Redshift security groups

Read Write

DescribeClusterSnapshots Returns one or more snapshot objects, which contain metadata about your cluster snapshots

Read Write

DescribeClusterSubnetGroups Returns one or more cluster subnet group objects, which contain metadata about your cluster subnet groups

Read Write

DescribeClusterVersions Returns descriptions of the available Amazon Redshift cluster versions

Read Write

DescribeClusters Returns properties of provisioned clusters including general cluster properties, cluster database properties, maintenance and backup properties, and security and access properties

List Read Write

DescribeDefaultClusterParameters Returns a list of parameter settings for the specified parameter group family

Read Write

DescribeEventCategories Displays a list of event categories for all event source types, or for a specified source type

Read Write

DescribeEventSubscriptions Lists descriptions of all the Amazon Redshift event notifications subscription for a customer account

Read Write

DescribeEvents Returns events related to clusters, security groups, snapshots, and parameter groups for the past 14 days

List Read Write

DescribeHsmClientCertificates Returns information about the specified HSM client certificate

Read Write

DescribeHsmConfigurations Returns information about the specified Amazon Redshift HSM configuration

Read Write

DescribeLoggingStatus Describes whether information, such as queries and connection attempts, is being logged for the specified Amazon Redshift cluster

Read Write

cluster*

DescribeOrderableClusterOptions Returns a list of orderable cluster options

Read Write

DescribeReservedNodeOfferings Returns a list of the available reserved node offerings by Amazon Redshift with their descriptions including the node type, the fixed and recurring costs of reserving the node and duration the node will be reserved for you

Read Write

DescribeReservedNodes Returns the descriptions of the reserved nodes

Read Write

DescribeResize Returns information about the last resize operation for the specified cluster

Read Write

cluster*

DescribeSnapshotCopyGrants Returns a list of snapshot copy grants owned by the AWS account in the destination region

Read Write

DescribeTableRestoreStatus Lists the status of one or more table restore requests made using the RestoreTableFromClusterSnapshot API action

Read Write

DescribeTags Returns a list of tags

Read Write

DisableLogging Stops logging information, such as queries and connection attempts, for the specified Amazon Redshift cluster

Write

cluster*

DisableSnapshotCopy Disables the automatic copying of snapshots from one region to another region for a specified cluster

Write

cluster*

EnableLogging Starts logging information, such as queries and connection attempts, for the specified Amazon Redshift cluster

Write

cluster*

EnableSnapshotCopy Enables the automatic copy of snapshots from one region to another region for a specified cluster

Write

cluster*

GetClusterCredentials Get a temporary cluster credential for the specified redshift user

Read Write

dbuser*

dbgroup

dbname

redshift:DbName

redshift:DbUser

redshift:DurationSeconds

JoinGroup Give permission to join the specified redshift groups

Permissions management

dbgroup*

ModifyCluster Modifies the settings for a cluster

Write

cluster*

ModifyClusterIamRoles Modifies the list of AWS Identity and Access Management (IAM) roles that can be used by the cluster to access other AWS services

Permissions management

cluster*

ModifyClusterParameterGroup Modifies the parameters of a parameter group

Write

parametergroup*

ModifyClusterSubnetGroup Modifies a cluster subnet group to include the specified list of VPC subnets

Write

subnetgroup*

ModifyEventSubscription Modifies an existing Amazon Redshift event notification subscription

Write

eventsubscription*

ModifySnapshotCopyRetentionPeriod Modifies the number of days to retain automated snapshots in the destination region after they are copied from the source region

Write

cluster*

PurchaseReservedNodeOffering Allows you to purchase reserved nodes. Amazon Redshift offers a predefined set of reserved node offerings

Write

RebootCluster Reboots a cluster

Write

cluster*

ResetClusterParameterGroup Sets one or more parameters of the specified parameter group to their default values and sets the source values of the parameters to "engine-default"

Write

parametergroup*

RestoreFromClusterSnapshot Creates a new cluster from a snapshot

Write

snapshot*

RestoreTableFromClusterSnapshot Creates a new table from a table in an Amazon Redshift cluster snapshot

Write

cluster*

snapshot*

RevokeClusterSecurityGroupIngress Revokes an ingress rule in an Amazon Redshift security group for a previously authorized IP range or Amazon EC2 security group

Permissions management

securitygroup*

securitygroupingress-ec2securitygroup*

RevokeSnapshotAccess Removes the ability of the specified AWS customer account to restore the specified snapshot

Permissions management

snapshot*

RotateEncryptionKey Rotates the encryption keys for a cluster

Permissions management

cluster*

ViewQueriesInConsole [permission only] Controls whether a user can terminate running queries and loads from the Cluster section in the Amazon Redshift console.

List Read Write

Resources Defined by Redshift

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
cluster arn:${Partition}:redshift:${Region}:${Account}:cluster:${ClusterName}
dbgroup arn:${Partition}:redshift:${Region}:${Account}:dbgroup:${ClusterName}/${DbGroup}
dbname arn:${Partition}:redshift:${Region}:${Account}:dbname:${ClusterName}/${DbName}
dbuser arn:${Partition}:redshift:${Region}:${Account}:dbuser:${ClusterName}/${DbUser}
eventsubscription arn:${Partition}:redshift:${Region}:${Account}:eventsubscription:${EventSubscriptionName}
hsmclientcertificate arn:${Partition}:redshift:${Region}:${Account}:hsmclientcertificate:${HSMClientCertificateId}
hsmconfiguration arn:${Partition}:redshift:${Region}:${Account}:hsmconfiguration:${HSMConfigurationId}
parametergroup arn:${Partition}:redshift:${Region}:${Account}:parametergroup:${ParameterGroupName}
securitygroup arn:${Partition}:redshift:${Region}:${Account}:securitygroup:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ec2SecurityGroupId}
securitygroupingress-cidr arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/cidrip/${IpRange}
securitygroupingress-ec2securitygroup arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ece2SecuritygroupId}
snapshot arn:${Partition}:redshift:${Region}:${Account}:${ClusterName}/${SnapshotName}
snapshotcopygrant arn:${Partition}:redshift:${Region}:${Account}:snapshotcopygrant:${SnapshotCopyGrantName}
subnetgroup arn:${Partition}:redshift:${Region}:${Account}:subnetgroup:${SubnetGroupName}

Condition Keys for Amazon Redshift

Amazon Redshift defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
redshift:DbName Control access based on the database name. String
redshift:DbUser Control access based on the database user name. String
redshift:DurationSeconds Control access based on the number of seconds until a temporary credential set expires. String